-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeconfig appears in ansible log module invocations, even when in dictionary form #782
Comments
Hi @jnm27, could you please give a more info, i.e. example of kubeconfig in the dictionary form (with hidden sensitive information) and example of output, and in the general, step to reproduce |
To reproduce, take the kubeconfig generated by the openshift installer for the system:admin user (for example). In Ansible, read that file and |from_yaml it to get it in a dictionary form, then pass that as the kubeconfig parameter to any kubernetes.core module that supports it. Will see the kubeconfig contents in the module invocation when running at a higher verbosity. |
I don't have any OpenShift cluster, is the difference compared to kubeconfig from any other K8s cluster? |
No difference - any kubeconfig would work. Just a difference of loading the contents of the file in ansible instead of passing the path to it directly. |
Can you give an example (replacing sensitive parts with dummy data)? |
|
Ok, reproduced the concern mentioned above with the following:
When the playbook is running with |
As the quick fix a line
can be replaced from:
to
Drowback of that is value if kubeconfig always be hidden, even when it a path to the file. |
Yes, that's what I did in my local patch. |
SUMMARY
When passing the kubeconfig to various kubernetes.core modules as a dictionary instead of a path, it contains sensitive data and should not be logged.
I've patched this in our environment in the meantime to simply always no_log the kubeconfig argument in args_common.py.
ISSUE TYPE
COMPONENT NAME
kubernetes/core/plugins/module_utils/args_common.py
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
RHEL8.6 ansible engine, Openshift 4.16 target.
STEPS TO REPRODUCE
Pass kubeconfig as a dictionary to any kubernetes.core module that uses args_common.py.
kubernetes.core.helm, community.okd.k8s
EXPECTED RESULTS
Sensitive kubeconfig dictionary is omitted from logs.
ACTUAL RESULTS
Kubeconfig dictionary is in plaintext in logs.
The text was updated successfully, but these errors were encountered: