Enhancements: Kubernetes system components logs sanitization

Created on 8 May 2020  路  31Comments  路  Source: kubernetes/enhancements

Enhancement Description

  • One-line enhancement description: Introduce a logging filter which could be applied to all Kubernetes system components logs to prevent various types of sensitive information from leaking via logs
  • Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-instrumentation/1753-logs-sanitization
  • Primary contact (assignee): @44past4
  • Responsible SIGs: sig-instrumentation
  • Enhancement target (which target equals to which milestone):

    • Alpha release target (1.20)

    • Beta release target (1.21)

    • Stable release target (1.22)

kinfeature kinkep siinstrumentation stagalpha trackeyes wsecurity-audit
Source
picture 44past4

Most helpful comment

@MorrisLaw For 1.20 we would like to have implementation of sanitization finished. PRs needed:

PRs mentioned in https://github.com/kubernetes/enhancements/issues/1753#issuecomment-718923925 are not part of core feature we are introducing, but part of the security improvements based on this effort. This work was started in 1.20, but will continue in 1.21. I split the list by milestone that they are planned to be finished. I will also remove milestones from PRs themselves

picture serathius on 10 Nov 2020
👍2

All 31 comments

/sig intrumentation

44past4 picture 44past4 on 8 May 2020

@44past4: The label(s) sig/intrumentation cannot be applied, because the repository doesn't have them

In response to this:

/sig intrumentation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot picture k8s-ci-robot on 8 May 2020

/sig instrumentation

44past4 picture 44past4 on 8 May 2020

/kind kep
/kind feature

44past4 picture 44past4 on 14 May 2020

Hey there @44past4 -- 1.19 Enhancements Lead here. I wanted to check in and see if you think this Enhancement will be graduating to Alpha in 1.19?

In order to have this part of the release:

  1. The KEP PR must be merged in an implementable state
  2. The KEP must have test plans
  3. The KEP must have graduation criteria.

As an additional note, https://github.com/kubernetes/enhancements/pull/1620 merged recently, adding production readiness review questions to the KEP template. We are not making it mandatory for the 1.19 release cycle, but it would be great if the PRR questionnaire is filled since the KEP PR is in flight.

If you do, I'll add it to the 1.19 tracking sheet (http://bit.ly/k8s-1-19-enhancements). Once coding begins please list all relevant k/k PRs in this issue so they can be tracked properly. 馃憤

Thanks! :slightly_smiling_face:

The current release schedule is:

  • Monday, April 13: Week 1 - Release cycle begins
  • Tuesday, May 19: Week 6 - Enhancements Freeze
  • Thursday, June 25: Week 11 - Code Freeze
  • Thursday, July 9: Week 14 - Docs must be completed and reviewed
  • Tuesday, August 4: Week 17 - Kubernetes v1.19.0 released
palnabarun picture palnabarun on 14 May 2020

Hi @44past4 ,

Tomorrow, Tuesday May 19 EOD Pacific Time is Enhancements Freeze

Will this enhancement be part of the 1.19 release cycle?

palnabarun picture palnabarun on 18 May 2020

@44past4 -- Unfortunately, the deadline for the 1.19 Enhancement freeze has passed. For now, this is being removed from the milestone and 1.19 tracking sheet. If there is a need to get this in, please file an enhancement exception.

palnabarun picture palnabarun on 20 May 2020

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot picture fejta-bot on 18 Aug 2020

/remove-lifecycle stale

palnabarun picture palnabarun on 1 Sep 2020

Hi @44past4

Enhancements Lead here. Any plans for this in 1.20?

Thanks!
Kirsten

kikisdeliveryservice picture kikisdeliveryservice on 14 Sep 2020

Yes, we plan to work on this in 1.20.

44past4 picture 44past4 on 17 Sep 2020
👍2

/milestone v1.20

ehashman picture ehashman on 17 Sep 2020

Thanks @44past4

Also, as a reminder to be included in a release:

I've also updated the description to link directly to the merged KEP.

Best,
Kirsten

kikisdeliveryservice picture kikisdeliveryservice on 17 Sep 2020

/wg security-audit

ehashman picture ehashman on 18 Sep 2020

Hey @44past4 - 1.20 Enhancements Shadow here 馃憢

Just a friendly reminder, Enhancements Freeze is October 6th and if this KEP is intended for the 1.20 release, it still needs the following:

MorrisLaw picture MorrisLaw on 26 Sep 2020

@44past4 please ensure you have opened a PR to address the above so this can be reviewed and merged by the enhancements freeze deadline, Oct. 6.

ehashman picture ehashman on 1 Oct 2020
2

As a reminder, Enhancements Freeze deadline is Tomorrow October 6th EOD PST.

MorrisLaw picture MorrisLaw on 5 Oct 2020

The related PR has merged: #2052

kikisdeliveryservice picture kikisdeliveryservice on 5 Oct 2020

@kikisdeliveryservice @MorrisLaw Can you confirm that this Enhancement fulfills all requirements needed to be tracked for 1.20 release?

serathius picture serathius on 6 Oct 2020

@serathius yes it does and we are tracking the enhancement :smile:

kikisdeliveryservice picture kikisdeliveryservice on 6 Oct 2020
👍2

Hi @serathius ,

Since your Enhancement is scheduled to be in 1.20, please keep in mind the important upcoming dates:
Friday, Nov 6th: Week 8 - Docs Placeholder PR deadline
Thursday, Nov 12th: Week 9 - Code Freeze

As a reminder, please link all of your k/k PR as well as docs PR to this issue so we can track them.

Regards,
Jeremy

MorrisLaw picture MorrisLaw on 12 Oct 2020

Hello @44past4, 1.20 Docs shadow here 馃憢馃徑.
Does this enhancement work planned for 1.20 require any new docs or modification to existing docs?

If so, please follows the steps here to open a PR against dev-1.20 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Nov 6th

Also take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.
Thank you!

SomtochiAma picture SomtochiAma on 21 Oct 2020

As part of Alpha we would like to start tagging fields storing sensitive data in Kubernetes structures. Goal for 1.20 is to do first scan and introduce as many tags as possible.

List of PRs addings tags finished for 1.20:

Some tags will require more discussion and will be continued during in 1.21 during Beta.

serathius picture serathius on 29 Oct 2020

@SomtochiAma @MorrisLaw I will file a placeholder PR tommorow. Thanks for reminder.

serathius picture serathius on 29 Oct 2020
👍1

Hi @serathius

The docs placeholder deadline is almost here. Please make sure to create a placeholder PR against the dev-1.20 branch in the k/website before the deadline

Also, please keep in mind the important upcoming dates:

Thank you!

SomtochiAma picture SomtochiAma on 31 Oct 2020

Placeholder PR created https://github.com/kubernetes/website/pull/24845 , thanks for reminder.

serathius picture serathius on 2 Nov 2020

Thank you @serathius 馃コ

SomtochiAma picture SomtochiAma on 2 Nov 2020

Hi @serathius @44past4

The code freeze deadline is almost here. Are these the remaining PRs needed for the 1.20 milestone: https://github.com/kubernetes/enhancements/issues/1753#issuecomment-718923925 ? Will they be merged in by the code freeze deadline?

Also, please keep in mind the important upcoming dates:

  • Thursday, Nov 12th: Week 9 - Code Freeze
  • Monday, Nov 23rd: Week 11 - Docs PR Ready for Review

Thank you!

MorrisLaw picture MorrisLaw on 10 Nov 2020

@MorrisLaw For 1.20 we would like to have implementation of sanitization finished. PRs needed:

PRs mentioned in https://github.com/kubernetes/enhancements/issues/1753#issuecomment-718923925 are not part of core feature we are introducing, but part of the security improvements based on this effort. This work was started in 1.20, but will continue in 1.21. I split the list by milestone that they are planned to be finished. I will also remove milestones from PRs themselves

serathius picture serathius on 10 Nov 2020
👍2

Hey, @serathius thank you for your work on this!

Can you please make a PR to update the graduation criteria for Beta (1.21) to include a bullet point describing the planned work to finish adding the data-policy tags?

MorrisLaw picture MorrisLaw on 13 Nov 2020
👍1

Hello

As I understand it, this change still needs documenting. There's a placeholder for the documentation update(s) at https://github.com/kubernetes/website/pull/24845.

sftim picture sftim on 19 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

liggitt picture liggitt  路  7Comments
justaugustus picture justaugustus  路  3Comments
prameshj picture prameshj  路  9Comments
msau42 picture msau42  路  13Comments
AndiLi99 picture AndiLi99  路  13Comments