From ac65615e54c6ddb1824ee33d8362117209f23c20 Mon Sep 17 00:00:00 2001 From: I574614 Date: Fri, 30 Aug 2024 08:28:02 +0200 Subject: [PATCH 1/3] fix(audit-logs): Redact secret data --- pkg/admission/utils.go | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/pkg/admission/utils.go b/pkg/admission/utils.go index b3b11529f..2bea7ee6a 100644 --- a/pkg/admission/utils.go +++ b/pkg/admission/utils.go @@ -5,7 +5,9 @@ package admission import ( "context" + "encoding/json" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/validation/field" ctrl "sigs.k8s.io/controller-runtime" @@ -109,6 +111,30 @@ func logAdmissionRequest(ctx context.Context) { admissionRequest, err := admission.RequestFromContext(ctx) if err != nil { return + + } + // Redact secret data from the log + if admissionRequest.Kind.Kind == "Secret" { + admissionRequest.Object.Raw = redactRawObject(admissionRequest.Object.Raw) + admissionRequest.OldObject.Raw = redactRawObject(admissionRequest.OldObject.Raw) } ctrl.Log.Info("AdmissionRequest", "Request", admissionRequest) } + +// redactRawObject redacts secret data and annotations from the raw object +func redactRawObject(rawObject []byte) []byte { + // Redact secret data from the log + secret := corev1.Secret{} + err := json.Unmarshal(rawObject, &secret) + if err == nil { + // delete annotations as they might have the last applied configuration + secret.Annotations = nil + // redact all secret data entries + for key := range secret.Data { + secret.Data[key] = []byte("REDACTED") + } + secretJson, _ := json.Marshal(secret) + return secretJson + } + return rawObject +} From 0514b443d8b94a0746af09e1608ba99702dfdbf6 Mon Sep 17 00:00:00 2001 From: I574614 Date: Fri, 30 Aug 2024 09:41:53 +0200 Subject: [PATCH 2/3] Fix linting --- pkg/admission/utils.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/admission/utils.go b/pkg/admission/utils.go index 2bea7ee6a..cbe2918ed 100644 --- a/pkg/admission/utils.go +++ b/pkg/admission/utils.go @@ -111,8 +111,8 @@ func logAdmissionRequest(ctx context.Context) { admissionRequest, err := admission.RequestFromContext(ctx) if err != nil { return - } + // Redact secret data from the log if admissionRequest.Kind.Kind == "Secret" { admissionRequest.Object.Raw = redactRawObject(admissionRequest.Object.Raw) @@ -133,8 +133,8 @@ func redactRawObject(rawObject []byte) []byte { for key := range secret.Data { secret.Data[key] = []byte("REDACTED") } - secretJson, _ := json.Marshal(secret) - return secretJson + secretJSON, _ := json.Marshal(secret) + return secretJSON } return rawObject } From 488ea83eb40179a1386e64c59372b7697c90b7d6 Mon Sep 17 00:00:00 2001 From: I574614 Date: Fri, 30 Aug 2024 10:40:20 +0200 Subject: [PATCH 3/3] Remove Object and OldObject completely from log --- pkg/admission/utils.go | 29 ++++------------------------- 1 file changed, 4 insertions(+), 25 deletions(-) diff --git a/pkg/admission/utils.go b/pkg/admission/utils.go index cbe2918ed..9ed5adb0c 100644 --- a/pkg/admission/utils.go +++ b/pkg/admission/utils.go @@ -5,9 +5,7 @@ package admission import ( "context" - "encoding/json" - corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/validation/field" ctrl "sigs.k8s.io/controller-runtime" @@ -113,28 +111,9 @@ func logAdmissionRequest(ctx context.Context) { return } - // Redact secret data from the log - if admissionRequest.Kind.Kind == "Secret" { - admissionRequest.Object.Raw = redactRawObject(admissionRequest.Object.Raw) - admissionRequest.OldObject.Raw = redactRawObject(admissionRequest.OldObject.Raw) - } - ctrl.Log.Info("AdmissionRequest", "Request", admissionRequest) -} + // Remove all objects from the log + admissionRequest.Object.Raw = nil + admissionRequest.OldObject.Raw = nil -// redactRawObject redacts secret data and annotations from the raw object -func redactRawObject(rawObject []byte) []byte { - // Redact secret data from the log - secret := corev1.Secret{} - err := json.Unmarshal(rawObject, &secret) - if err == nil { - // delete annotations as they might have the last applied configuration - secret.Annotations = nil - // redact all secret data entries - for key := range secret.Data { - secret.Data[key] = []byte("REDACTED") - } - secretJSON, _ := json.Marshal(secret) - return secretJSON - } - return rawObject + ctrl.Log.Info("AdmissionRequest", "Request", admissionRequest) }