search

crossplane-contrib / provider-kubernetes

Crossplane provider to provision and manage Kubernetes objects on (remote) Kubernetes clusters.
Apache License 2.0
148 stars 86 forks source link

secrets data leaked in to logs. #250

Open mad01 opened 6 months ago

mad01 commented 6 months ago

What happened?

When creating a secret the data for the secret will be leaked in the debug level logs. (log output is dummy data so no worries that it's in the issue) (i have made the secret bold so it's more easy to see)

2024-05-21T15:28:05.996+0200 DEBUG provider-kubernetes Observing {"resource": {"kind":"Object","apiVersion":"kubernetes.crossplane.io/v1alpha2","metadata":{"name":"secretpatch","uid":"d4213d87-a666-4287-994f-f75199cf7135","resourceVersion":"1161","generation":3,"creationTimestamp":"2024-05-21T13:28:04Z","annotations":{"crossplane.io/external-create-pending":"2024-05-21T15:28:04+02:00","crossplane.io/external-create-succeeded":"2024-05-21T15:28:04+02:00","crossplane.io/external-name":"secretpatch","kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"kubernetes.crossplane.io/v1alpha2\",\"kind\":\"Object\",\"metadata\":{\"annotations\":{},\"name\":\"secretpatch\"},\"spec\":{\"forProvider\":{\"manifest\":{\"apiVersion\":\"v1\",\"data\":{},\"kind\":\"Secret\",\"metadata\":{\"namespace\":\"default\"}}},\"providerConfigRef\":{\"name\":\"kubernetes-provider\"},\"references\":[{\"patchesFrom\":{\"apiVersion\":\"v1\",\"fieldPath\":\"data.sensitive\",\"kind\":\"Secret\",\"name\":\"secretpatch\",\"namespace\":\"crossplane-system\"},\"toFieldPath\":\"data.key-from-secret\"}]}}\n"},"finalizers":["finalizer.managedresource.crossplane.io"],"managedFields":[{"manager":"kubectl-client-side-apply","operation":"Update","apiVersion":"kubernetes.crossplane.io/v1alpha2","time":"2024-05-21T13:28:04Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:spec":{".":{},"f:deletionPolicy":{},"f:forProvider":{".":{},"f:manifest":{".":{},"f:apiVersion":{},"f:data":{},"f:kind":{},"f:metadata":{".":{},"f:namespace":{}}}},"f:managementPolicies":{},"f:providerConfigRef":{".":{},"f:name":{}},"f:references":{},"f:watch":{}}}},{"manager":"main","operation":"Update","apiVersion":"kubernetes.crossplane.io/v1alpha2","time":"2024-05-21T13:28:04Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{"f:crossplane.io/external-create-pending":{},"f:crossplane.io/external-create-succeeded":{},"f:crossplane.io/external-name":{}},"f:finalizers":{".":{},"v:\"finalizer.managedresource.crossplane.io\"":{}}},"f:spec":{"f:forProvider":{"f:manifest":{"f:data":{"f:key-from-secret":{}}}},"f:readiness":{".":{},"f:policy":{}}}}},{"manager":"main","operation":"Update","apiVersion":"kubernetes.crossplane.io/v1alpha2","time":"2024-05-21T13:28:05Z","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:atProvider":{".":{},"f:manifest":{".":{},"f:apiVersion":{},"f:data":{".":{},"f:redacted":{}},"f:kind":{},"f:metadata":{".":{},"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}},"f:creationTimestamp":{},"f:managedFields":{},"f:name":{},"f:namespace":{},"f:resourceVersion":{},"f:uid":{}},"f:type":{}}},"f:conditions":{".":{},"k:{\"type\":\"Ready\"}":{".":{},"f:lastTransitionTime":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Synced\"}":{".":{},"f:lastTransitionTime":{},"f:reason":{},"f:status":{},"f:type":{}}}}},"subresource":"status"}]},"spec":{"providerConfigRef":{"name":"kubernetes-provider"},"managementPolicies":["*"],"deletionPolicy":"Delete","forProvider":{"manifest":{"apiVersion":"v1","data":{"key-from-secret":"cGFzc3dvcmQ="},"kind":"Secret","metadata":{"namespace":"default"}}},"references":[{"patchesFrom":{"apiVersion":"v1","kind":"Secret","name":"secretpatch","namespace":"crossplane-system","fieldPath":"data.sensitive"},"toFieldPath":"data.key-from-secret"}],"readiness":{"policy":"SuccessfulCreate"}},"status":{"conditions":[{"type":"Ready","status":"True","lastTransitionTime":"2024-05-21T13:28:05Z","reason":"Available"},{"type":"Synced","status":"True","lastTransitionTime":"2024-05-21T13:28:04Z","reason":"ReconcileSuccess"}],"atProvider":{"manifest":{"apiVersion":"v1","data":{"redacted":null},"kind":"Secret","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"data\":{\"key-from-secret\":\"cGFzc3dvcmQ=\"},\"kind\":\"Secret\",\"metadata\":{\"namespace\":\"default\"}}"},"creationTimestamp":"2024-05-21T13:28:04Z","managedFields":[{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:key-from-secret":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:type":{}},"manager":"main","operation":"Update","time":"2024-05-21T13:28:04Z"}],"name":"secretpatch","namespace":"default","resourceVersion":"1157","uid":"fbc2356a-4b4b-4baf-a3e4-8dec5ffa0cf3"},"type":"Opaque"}}}}}

How can we reproduce it?

  1. start by starting the controller with --debug.
  2. create the following resources. 
    ---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: secretpatch
spec:
references:
- patchesFrom:
  apiVersion: v1
  kind: Secret
  name: secretpatch
  namespace: crossplane-system
  fieldPath: data.sensitive
toFieldPath: data.key-from-secret
forProvider:
manifest:
  apiVersion: v1
  kind: Secret
  metadata:
    namespace: default
  data: {}
providerConfigRef:
name: kubernetes-provider
---
apiVersion: v1
kind: Secret
metadata:
name: secretpatch
namespace: crossplane-system
type: Opaque
data:
sensitive: cGFzc3dvcmQ=
  3. when looking at the console/terminal where std out is written for the controller we can see that the base64 secret is in the logs. The example in the above step is used to get the logs that is in this issue.
grafanalf commented 1 month ago

Are you running the provider with debugging enabled?

It seems to me that you are. And if debugging is disabled, what happens?

mad01 commented 1 month ago

This is to long ago for me to remember this details