Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added server side AWS account ID log redaction #327

Merged
merged 1 commit into from
Jul 7, 2020
Merged

Added server side AWS account ID log redaction #327

merged 1 commit into from
Jul 7, 2020

Conversation

micahhausler
Copy link
Member

This feature allows administrators to prevent specific account IDs from being emitted in server logs.

@micahhausler micahhausler requested review from nckturner and wongma7 July 7, 2020 21:54
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 7, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: micahhausler

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 7, 2020
@wongma7
Copy link
Contributor

wongma7 commented Jul 7, 2020

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 7, 2020
nckturner
nckturner reviewed Jul 7, 2020
View reviewed changes
README.md
@@ -394,6 +394,11 @@ server:
# role to assume before querying EC2 API in order to discover metadata like EC2 private DNS Name
ec2DescribeInstancesRoleARN: arn:aws:iam::000000000000:role/DescribeInstancesRole

# AWS Account IDs to scrub from server logs. (Defaults to empty list)
scrubbedAccounts:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: To me "redacted" is more explicit than "scrubbed"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went back and forth on this, but in my mind "redacted" sounded too much like the whole log entry was omitted, and in this case I'm just redacting part of the log line.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like and understand "scrub" FWIW. 👍

README.md
@@ -394,6 +394,11 @@ server:
# role to assume before querying EC2 API in order to discover metadata like EC2 private DNS Name
ec2DescribeInstancesRoleARN: arn:aws:iam::000000000000:role/DescribeInstancesRole

# AWS Account IDs to scrub from server logs. (Defaults to empty list)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to give the ability to redact more than just account IDs?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could certainly add that at some point

@k8s-ci-robot k8s-ci-robot merged commit 2c936a2 into kubernetes-sigs:master Jul 7, 2020
@micahhausler micahhausler deleted the role-redaction branch July 7, 2020 22:12
@nckturner nckturner mentioned this pull request Oct 6, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nckturner nckturner nckturner left review comments

@wongma7 wongma7 Awaiting requested review from wongma7

@christopherhein christopherhein Awaiting requested review from christopherhein

Assignees

@wongma7 wongma7

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@micahhausler @k8s-ci-robot @wongma7 @nckturner