Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support to add a logfilter #183

Merged
merged 3 commits into from
Oct 28, 2020
Merged

Add support to add a logfilter #183

merged 3 commits into from
Oct 28, 2020

Conversation

rf232
Copy link

@rf232 rf232 commented Oct 26, 2020

What this PR does / why we need it:

To implement log sanitization according to KEP-1753 we need to be able
to install a LogFilter method that can replace the arguments to logging
statements to prevent accidental leaking of secrets, certificates or
passwords.

Special notes for your reviewer:

https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/1753-logs-sanitization

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

Release note:

Add support to add a logfilter to support log sanitization.

The interface of the filter defines three functions for the three kinds
of logging functions exposed by klog.

type LogFilter interface {
  Filter(args []interface{}) ([]interface{})
  FilterF(format string, args []interface{}) (string,[]interface{})
  FilterS(msg string, keysAndValues []interface{}) (string, []interface{})
}
In the case this is used for log sanitization each of these functions should inspect the arguments and if they contain sensitive data alter the arguments to make sure there is no leaking.

@rf232
Add support to add a logfilter
ffb31cc 
To implement log sanitization according to KEP-1753 we need to be able
to install a LogFilter method that can replace the arguments to logging
statements to prevent accidental leaking of secrets, certificates or
passwords.

The interface of the filter defines three functions for the three kinds
of logging functions exposed by klog.
```
type LogFilter interface {
  Filter(args []interface{}) ([]interface{})
  FilterF(format string, args []interface{}) (string,[]interface{})
  FilterS(msg string, keysAndValues []interface{}) (string, []interface{})
}
```
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 26, 2020
@serathius
Copy link

/assign

@serathius
Copy link

/assign @44past4

serathius
serathius reviewed Oct 27, 2020
View reviewed changes
klog_test.go Outdated Show resolved Hide resolved
44past4
44past4 reviewed Oct 27, 2020
View reviewed changes
klog.go Show resolved Hide resolved
klog_test.go Outdated Show resolved Hide resolved
@serathius
Copy link

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 27, 2020
@serathius
Copy link

/assign @justinsb

@serathius
Copy link

/cc @dims

@dims
Copy link
Member

dims commented Oct 28, 2020

/approve

will leave LGTM to someone else!

@k8s-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, rf232, serathius

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 28, 2020
@k8s-ci-robot k8s-ci-robot merged commit 321016d into kubernetes:master Oct 28, 2020
@44past4
Copy link

44past4 commented Oct 28, 2020

/lgtm

@waciumawanjohi waciumawanjohi mentioned this pull request Nov 22, 2021
Merged
pohly
pohly reviewed Feb 7, 2022
View reviewed changes
klog.go
@@ -1249,13 +1270,14 @@ func (l *loggingT) setV(pc uintptr) Level {
type Verbose struct {
enabled bool
logr logr.Logger
filter LogFilter
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was filter added to Verbose and as parameter to all the other functions? That causes overhead and the only advantage that I see is that in the theoretic case that someone does V + SetFilter, the original filter will be used when logging through the Verbose instance. I'm not even sure whether that is desirable.

@pohly pohly mentioned this pull request Feb 8, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pohly pohly pohly left review comments

@serathius serathius serathius left review comments

@44past4 44past4 44past4 left review comments

@hoegaarden hoegaarden Awaiting requested review from hoegaarden

@jayunit100 jayunit100 Awaiting requested review from jayunit100

@dims dims Awaiting requested review from dims

Assignees

@serathius serathius

@44past4 44past4

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@rf232 @serathius @dims @k8s-ci-robot @44past4 @pohly