From 32f963aa0f1aa0cd50ba19fc398614a7735e51dc Mon Sep 17 00:00:00 2001 From: Chris Houseknecht Date: Mon, 25 Dec 2017 21:01:28 -0500 Subject: [PATCH] Prevent secret data from being logged (#34229) --- lib/ansible/module_utils/k8s/common.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/lib/ansible/module_utils/k8s/common.py b/lib/ansible/module_utils/k8s/common.py index 64dea88d58..16f6424902 100644 --- a/lib/ansible/module_utils/k8s/common.py +++ b/lib/ansible/module_utils/k8s/common.py @@ -56,6 +56,20 @@ except ImportError: HAS_YAML = False +def remove_secret_data(obj_dict): + """ Remove any sensitive data from a K8s dict""" + if obj_dict.get('data'): + # Secret data + obj_dict.pop('data') + if obj_dict.get('string_data'): + # The API should not return sting_data in Secrets, but just in case + obj_dict.pop('string_data') + if obj_dict['metadata'].get('annotations'): + # Remove things like 'openshift.io/token-secret' from metadata + for key in [k for k in obj_dict['metadata']['annotations'] if 'secret' in k]: + obj_dict['metadata']['annotations'].pop(key) + + class DateTimeEncoder(json.JSONEncoder): # When using json.dumps() with K8s object, pass cls=DateTimeEncoder to handle any datetime objects def default(self, o): @@ -223,6 +237,17 @@ class KubernetesAnsibleModule(AnsibleModule): return_attributes['changed'] = True self.exit_json(**return_attributes) + def exit_json(self, **return_attributes): + """ Filter any sensitive data that we don't want logged """ + if return_attributes.get('result') and \ + return_attributes['result'].get('kind') in ('Secret', 'SecretList'): + if return_attributes['result'].get('data'): + remove_secret_data(return_attributes['result']) + elif return_attributes['result'].get('items'): + for item in return_attributes['result']['items']: + remove_secret_data(item) + super(KubernetesAnsibleModule, self).exit_json(**return_attributes) + def _authenticate(self): try: auth_options = {}