Closed torredil closed 1 month ago
File | Old Coverage | New Coverage | Delta |
---|---|---|---|
github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/util/util.go | 55.6% | 62.3% | 6.7 |
/retest
Manually tested by following these steps:
Set controller.logLevel
= 4.
Give the external provisioner ClusterRole permissions to get secrets:
- apiGroups: [ "" ]
resources: [ "secrets" ]
verbs: [ "get", "list", "watch" ]
Apply the following secret via kubectl apply -f
:
apiVersion: v1
kind: Secret
metadata:
name: mysecret
namespace: kube-system
type: Opaque
data:
username: dXNlcm5hbWU=
password: cGFzc3dvcmQ=
Dynamically provision a volume with the following StorageClass:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: ebs-sc
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
parameters:
csi.storage.k8s.io/provisioner-secret-name: mysecret
csi.storage.k8s.io/provisioner-secret-namespace: kube-system
With this change, the secret is not logged.
/approve
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: ConnorJC3
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Is this a bug fix or adding new feature?
Security enhancement
What is this PR about? / Why do we need it?
The EBS CSI Driver does not support Token Requests , however - out of an abundance of caution - this PR addresses the potential vulnerability of sensitive information being logged inadvertently.
The main change is adding a new utility function
SanitizeRequest
that takes a request object and returns a copy of the request with the "Secrets" field cleared. This function creates a new instance of the same type as the input request, copies all the fields from the original request to the new instance, and sets the "Secrets" field to an empty map if it exists.What testing is done?
make verify && make test