KEP 5933: Add x-kubernetes-sensitive-data marker for CRD fields#5937
KEP 5933: Add x-kubernetes-sensitive-data marker for CRD fields#5937trofimovdals wants to merge 2 commits intokubernetes:masterfrom
Conversation
Signed-off-by: dmitry.trofimov <dmitry.trofimov@flant.com>
k8s-ci-robot
added
cncf-cla: yes
|
Hi @trofimovdals. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: trofimovdals The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
kind/kep
k8s-ci-robot
added
sig/api-machinery
| - "@sprait" | ||
| owning-sig: sig-api-machinery | ||
| participating-sigs: | ||
| - sig-auth |
| - PATCH request audit masking is technically challenging, requiring JSON path analysis of patch bodies. | ||
|
|
||
| ## Alternatives | ||
|
|
There was a problem hiding this comment.
We should note that people could use a Secret instead (even if we rule out that alternative); it is a broadly viable option here.
| - Returned **in full** to every authenticated caller that can `get` the resource, even if the caller only needs non-sensitive fields. | ||
| - Logged **in cleartext** in audit log entries, creating a compliance risk. | ||
|
|
||
| There is no first-class Kubernetes primitive that lets a CRD author say "this field is sensitive — treat it accordingly". |
There was a problem hiding this comment.
That's true, and I note the non goals, but having a built in API with these properties would also be really convenient.
There was a problem hiding this comment.
this KEP is intentionally scoped to CRDs for now, while aiming to keep the design compatible with a more general built-in solution later
| - PATCH masking in audit is more complex than GET/PUT masking because the patch body must be parsed and individual values replaced by path. | ||
|
|
||
| ### Risks and Mitigations | ||
|
|
There was a problem hiding this comment.
If I get an object and write it back with a PUT, do I lose data? How's that risk managed?
There was a problem hiding this comment.
Good catch. Yes, this is a potential data-loss scenario for callers that can update the resource but cannot read /sensitive, since they would receive a redacted representation and could overwrite hidden fields via PUT. I updated the KEP to explicitly document this risk and to mitigate it by rejecting full-object updates from such callers.
There was a problem hiding this comment.
This case does not even make sense. A patch with {} payload is a read. Everybody with write permissions has inherently (sensitive) read too.
There was a problem hiding this comment.
And it highlights another problem: authz can fail without the SAR caller to notice (think of authz webhooks). So a read would degrade to a masked read. And then every write is a potential data loss without noticing and without a way to know.
k8s-ci-robot
added
size/XL
| - Returned **in full** to every authenticated caller that can `get` the resource, even if the caller only needs non-sensitive fields. | ||
| - Logged **in cleartext** in audit log entries, creating a compliance risk. | ||
|
|
||
| There is no first-class Kubernetes primitive that lets a CRD author say "this field is sensitive — treat it accordingly". |
There was a problem hiding this comment.
Wasn't it always considered an anti-pattern in core types (in k/k) to have secret data outside of secrets in any type? Why should we handle CRDs differently?
I remember in OpenShift we had a couple of resources that as a whole were considered sensitive (because mistakes were made not to follow the rule long ago).
There was a problem hiding this comment.
So my gut feeling here is that we are building a feature to mitigate "wrong" usage. By design there are secrets in Kube as the primary (or only) resource that this senstivie.
| verbs: ["get", "list", "watch"] | ||
| ``` | ||
|
|
||
| Callers **without** this permission receive the resource with sensitive fields removed (set to `null` / omitted). Callers **with** this permission receive the full resource. |
There was a problem hiding this comment.
different behaviour depending on authz is not a good pattern. Assuming we want a feature like described, we would want very explicit list/get options for this, or a different resource path (subresource).
Also note that there are more dragons deep in the storage stack: watchlist caches events in marshalled form, and fans out to all consumers. We cannot differentiate between trusted and non-trusted there.
|
|
||
| Callers **without** this permission receive the resource with sensitive fields removed (set to `null` / omitted). Callers **with** this permission receive the full resource. | ||
|
|
||
| Write access to sensitive fields is controlled by standard `create`/`update`/`patch` verbs on the main resource — no additional write-side subresource is required. |
There was a problem hiding this comment.
isn't this contradicting the direction of the role above? Being allowed to write because of verb: * permissions, but able to read sensitive data is very odd. Note that every update is also a read.
There was a problem hiding this comment.
Thinking out loud: databases/non-sensitive-thing would give much cleaner behaviour. And then the client would have to ask for the sanitized versions. It would be a normal subresource with normal subresource semantics.
|
|
||
| - `audit.LogRequestObject()` and `audit.LogResponseObject()` invoke an `ObjectTransformer` registered by the CRD handler. | ||
| - The transformer deep-copies the object and calls `MaskSensitiveFields()`, replacing each sensitive value with `"******"`. | ||
| - PATCH request bodies containing sensitive paths are masked in the same way. |
There was a problem hiding this comment.
how? patch could be json patch where it is not that clear how to mask.
5 participants
Introduces
x-kubernetes-sensitive-datavendor extension that enables field stripping on get/list/watch for unauthorized callers and unconditional masking of sensitive values in audit log entries.