Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RClone logs sensitive values by default #4247

Closed
gtrog opened this issue Aug 1, 2022 · 0 comments · Fixed by #4249
Closed

RClone logs sensitive values by default #4247

gtrog opened this issue Aug 1, 2022 · 0 comments · Fixed by #4249
Labels
bug

Comments

@gtrog
Copy link
Contributor

gtrog commented Aug 1, 2022

Describe the bug

An earlier PR (#3203) increased the verbosity that rclone logs with, which, in turns happens to also log sensitive values like S3 secret key configured via environment variables:

2022/08/01 17:27:54 DEBUG : Setting access_key_id="<sensitive value>" for "s3" from environment variable RCLONE_CONFIG_S3_ACCESS_KEY_ID
2022/08/01 17:27:54 DEBUG : Setting secret_access_key="<sensitive value>" for "s3" from environment variable RCLONE_CONFIG_S3_SECRET_ACCESS_KEY

Would it be possible to make the verbosity configurable and verbosity level 1 (-v) by default? The verbosity can also be configured with RCLONE_VERBOSE=(0|1|2), but, since the argument -vv is explicitly passed in the Dockerfile, this gets ignored. I currently can't figure out a workaround for this while I wait for a fix.

To reproduce

  1. Configure Seldon Core to use AWS S3 secrets from a Secret resource that specifies RCLONE_CONFIG_S3_... config values
  2. Deploy a model that references this AWS S3 secret
  3. Check the logs for the initializer container (in my case it was a tensorflow model, so the container was tfserving-model-initializer)

Expected behaviour

By default, logs don't log DEBUG messages, which may expose sensitive values, but, verbosity is configurable if needed for debugging

Environment

  • Cloud Provider: GKE
  • Kubernetes Cluster Version [Output of kubectl version]
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.0", GitCommit:"cb303e613a121a29364f75cc67d3d580833a7479", GitTreeState:"clean", BuildDate:"2021-04-08T16:31:21Z", GoVersio
n:"go1.16.1", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.8-gke.202", GitCommit:"88deae00580af268497b9656f216cb092b630563", GitTreeState:"clean", BuildDate:"2022-06-03T03:27:52Z",
GoVersion:"go1.16.14b7", Compiler:"gc", Platform:"linux/amd64"}
  • Deployed Seldon System Images: [Output of kubectl get --namespace seldon-system deploy seldon-controller-manager -o yaml | grep seldonio]
docker.io/seldonio/seldon-core-operator:1.14.0

Model Details

Tensorflow model from a private repo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make verbosity configurable and not leak sensitive values gtrog/seldon-core
1 participant
@gtrog