Pipeline: Secrets used in Tasks showing in Tekton dashboard and logs without obfuscation

Created on 10 Oct 2020 · 6Comments · Source: tektoncd/pipeline

Hi, apologies if this is the wrong place for this issue, if it is please let me know.

We have created a tekton task which includes the following configuration to obtain a secret from a K8s secret, set it as an environment variable and use it in the script/command activity in the task.

envFrom:
  - secretRef:
      name: $(params.creds-secret-name)

The concern I have is that in the Tekton logs for the pod, and therefore displayed via Tekton dashboard as well, we see the plaintext secret in the script/command.

I haven't been able to spot in the documentation how to ensure this isn't shown. Any assistance would be greatly appreciated, thank you.

Matt

kinquestion

Source

namloc2001

All 6 comments

Thanks for the report. That shouldn't be happening. Can you isolate the log lines to specific container / step names? Is it Task-specific or happening with every run?

sbwsg on 10 Oct 2020

Hi, it's for all tasks I am performing. This is an example of one of the tasks, wherein we perform a Dependency Check scan.

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
    name: depcheck-scan
spec:
  params:
    - name: depcheck-creds-secret-name
      description: name of secret containing depcheck user creds
      default: depcheck-details
    - name: depcheck-configmap-name
      description: url of depcheck postgres service in the cluster
      default: depcheck-configmap
...
...lines omitted as not relevant
...
name: scan-code
envFrom:
  - secretRef:
      name: $(params.depcheck-creds-secret-name)
  - configMapRef:
      name: $(params.depcheck-configmap-name)
image: '<my_repo>/<my_namespace>/dependency-check:6.0.2'
resources: {}
script: >
  rm -rf /workspace/dependency

  sh /usr/share/dependency-check/bin/dependency-check.sh --scan
  /workspace/git-source/$(params.pathToContext) --format XML
  --dbDriverName=org.postgresql.Driver --dbPassword=$DEPENDENCYCHECK_PASSWORD
  --dbUser=$DEPENDENCYCHECK_USER --connectionString=$DEPENDENCYCHECK_URL
  --project $(inputs.resources.git-source.revision) --out /workspace/dependency
  --noupdate --disableRetireJS

The logs show:

+ rm -rf /workspace/dependency
+ sh /usr/share/dependency-check/bin/dependency-check.sh --scan /workspace/git-source/. --format XML '--dbDriverName=org.postgresql.Driver' '--dbPassword=<shows_actual_password>' '--dbUser=<shows_actual_user>' '--connectionString=jdbc:postgresql://<shows_actual_URL>:5432/depcheck_db' --project master --out /workspace/dependency --noupdate --disableRetireJS
[INFO] 

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

(I've obviously removed the password, user and URL values in the log output above)

The secret is configured as follows:

apiVersion: v1
kind: Secret
metadata:
  name: depcheck-details
type: Opaque
stringData:
  DEPENDENCYCHECK_USER: <user_here>
  DEPENDENCYCHECK_PASSWORD: <password_here>

ConfigMap is:

apiVersion: v1
kind: ConfigMap
metadata:
  name: depcheck-configmap
data:
  DEPENDENCYCHECK_URL: jdbc:postgresql://<POSTGRES_URL>:5432/depcheck_db

We are using Tekton versions as follows:

Tekton Dashboard: v0.9.0
Tekton Pipelines: v0.15.2

Running this on OpenShift 4.3.35_1539 on IBM Cloud.

namloc2001 on 10 Oct 2020

@namloc2001 that's to be expected, this is bash and set -x at work, there is not too much Tekton can do here. What you can do though, is to disable set -x, either locally or for the whole script:

script: >
  #!/usr/bin/env bash
  rm -rf /workspace/dependency

  sh /usr/share/dependency-check/bin/dependency-check.sh --scan
  /workspace/git-source/$(params.pathToContext) --format XML
  --dbDriverName=org.postgresql.Driver --dbPassword=$DEPENDENCYCHECK_PASSWORD
  --dbUser=$DEPENDENCYCHECK_USER --connectionString=$DEPENDENCYCHECK_URL
  --project $(inputs.resources.git-source.revision) --out /workspace/dependency
  --noupdate --disableRetireJS

script: >
  rm -rf /workspace/dependency

  set +x
  sh /usr/share/dependency-check/bin/dependency-check.sh --scan
  /workspace/git-source/$(params.pathToContext) --format XML
  --dbDriverName=org.postgresql.Driver --dbPassword=$DEPENDENCYCHECK_PASSWORD
  --dbUser=$DEPENDENCYCHECK_USER --connectionString=$DEPENDENCYCHECK_URL
  --project $(inputs.resources.git-source.revision) --out /workspace/dependency
  --noupdate --disableRetireJS
  set -x

vdemeester on 12 Oct 2020

Thanks, @vdemeester. I'll use set +x and set -x, just wanted to make sure I wasn't missing particular Tekton functionality that blocked plaintext secrets being played back in logs/dashboard. Cheers.

namloc2001 on 12 Oct 2020

just wanted to make sure I wasn't missing particular Tekton functionality that blocked plaintext secrets being played back in logs/dashboard.

Yeah, tekton cannot do too much here, the logs are kubernetes pods logs, even if the dashboard would block those somehow, anyone able to get logs from the pods would see those.

vdemeester on 12 Oct 2020

👍1

I don't think there's much we can do today, but we might be able to do more in the future. I opened https://github.com/tektoncd/pipeline/issues/3373 to track one idea to redact secrets from logs automatically, but I'd love more feedback on it.