Sanitize CSI RPC request logs

kubernetes-sigs / aws-ebs-csi-driver

CSI driver for Amazon EBS https://aws.amazon.com/ebs/

Apache License 2.0

940 stars 774 forks source link

Sanitize CSI RPC request logs #2037

Closed torredil closed 1 month ago

torredil commented 1 month ago

Is this a bug fix or adding new feature?

Security enhancement

What is this PR about? / Why do we need it?

The EBS CSI Driver does not support Token Requests , however - out of an abundance of caution - this PR addresses the potential vulnerability of sensitive information being logged inadvertently.

The main change is adding a new utility function SanitizeRequest that takes a request object and returns a copy of the request with the "Secrets" field cleared. This function creates a new instance of the same type as the input request, copies all the fields from the original request to the new instance, and sets the "Secrets" field to an empty map if it exists.

What testing is done?

make verify && make test
CI
manual testing

github-actions[bot] commented 1 month ago

Code Coverage Diff

File	Old Coverage	New Coverage	Delta
github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/util/util.go	55.6%	62.3%	6.7

torredil commented 1 month ago

/retest

torredil commented 1 month ago

Manually tested by following these steps:

Set controller.logLevel = 4.

Give the external provisioner ClusterRole permissions to get secrets:

- apiGroups: [ "" ]
resources: [ "secrets" ]
verbs: [ "get", "list", "watch" ]

Apply the following secret via kubectl apply -f:

apiVersion: v1
kind: Secret
metadata:
name: mysecret
namespace: kube-system
type: Opaque
data:
username: dXNlcm5hbWU=
password: cGFzc3dvcmQ=

Dynamically provision a volume with the following StorageClass:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: ebs-sc
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
parameters:
csi.storage.k8s.io/provisioner-secret-name: mysecret
csi.storage.k8s.io/provisioner-secret-namespace: kube-system

With this change, the secret is not logged.

ConnorJC3 commented 1 month ago

/approve

k8s-ci-robot commented 1 month ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ConnorJC3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/OWNERS)~~ [ConnorJC3] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment