cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Prevent secret data from being logged (#34229)

Browse source
This commit is contained in:
Chris Houseknecht 2017-12-25 21:01:28 -05:00 committed by GitHub
parent ec3c31b1f4
commit 32f963aa0f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
lib/ansible/module_utils/k8s/common.py
View file

@ -56,6 +56,20 @@ except ImportError:
HAS_YAML = False HAS_YAML = False
def remove_secret_data(obj_dict):
""" Remove any sensitive data from a K8s dict"""
if obj_dict.get('data'):
# Secret data
obj_dict.pop('data')
if obj_dict.get('string_data'):
# The API should not return sting_data in Secrets, but just in case
obj_dict.pop('string_data')
if obj_dict['metadata'].get('annotations'):
# Remove things like 'openshift.io/token-secret' from metadata
for key in [k for k in obj_dict['metadata']['annotations'] if 'secret' in k]:
obj_dict['metadata']['annotations'].pop(key)
class DateTimeEncoder(json.JSONEncoder): class DateTimeEncoder(json.JSONEncoder):
# When using json.dumps() with K8s object, pass cls=DateTimeEncoder to handle any datetime objects # When using json.dumps() with K8s object, pass cls=DateTimeEncoder to handle any datetime objects
def default(self, o): def default(self, o):
@ -223,6 +237,17 @@ class KubernetesAnsibleModule(AnsibleModule):
return_attributes['changed'] = True return_attributes['changed'] = True
self.exit_json(**return_attributes) self.exit_json(**return_attributes)
def exit_json(self, **return_attributes):
""" Filter any sensitive data that we don't want logged """
if return_attributes.get('result') and \
return_attributes['result'].get('kind') in ('Secret', 'SecretList'):
if return_attributes['result'].get('data'):
remove_secret_data(return_attributes['result'])
elif return_attributes['result'].get('items'):
for item in return_attributes['result']['items']:
remove_secret_data(item)
super(KubernetesAnsibleModule, self).exit_json(**return_attributes)
def _authenticate(self): def _authenticate(self):
try: try:
auth_options = {} auth_options = {}