juan-pablo-guereca opened a new issue, #69021:
URL: https://github.com/apache/airflow/issues/69021
### Under which category would you file this issue?
Task SDK
### Apache Airflow version
Airflow 3.x
### What happened and how to reproduce it?
In a DAG using KubernetesPodOperator if you pass a secret via env vars, they
don't get masked in the "Rendered templates" view, leaking the secrets to any
user with access to Airflow UI.
Example DAG to reproduce it
```python
from airflow import DAG
from airflow.operators.bash import BashOperator
from airflow.providers.cncf.kubernetes.operators.pod import (
KubernetesPodOperator,
)
DAG_ID = "test_secrets_masking"
ENVS = {
"some_password": "{{ var.value.some_password }}",
"some_password_json": "{{ var.json.some_password }}",
"some_password_json.secret": "{{ var.json.some_password.secret }}",
"some_password_json.foo": "{{ var.json.some_password.foo }}",
}
with DAG(
dag_id=DAG_ID,
schedule=None,
description="just a dummy dag to test secrets masking",
max_active_runs=1,
):
command = "echo hi there; env; echo bye"
BashOperator(task_id="some_bash_pod_operator", bash_command=command,
env=ENVS)
KubernetesPodOperator(
task_id="some_k8s_pod_operator",
cmds=["/bin/bash", "-c", command],
env_vars=ENVS,
is_delete_operator_pod=True,
in_cluster=True,
get_logs=True,
)
```
<img width="2482" height="756" alt="Image"
src="https://github.com/user-attachments/assets/a8715956-db20-4fca-8926-19eec9fd5bd0"
/>
### What you think should happen instead?
The Secrets should be masked so the don't get leaked to Airflow UI.
Example:
<img width="2002" height="848" alt="Image"
src="https://github.com/user-attachments/assets/54cb4fff-8b4a-4355-abb2-7ab383723c1f"
/>
### Operating System
Debian GNU/Linux 12 (bookworm) (from official airflow image 3.2.2)
### Deployment
None
### Apache Airflow Provider(s)
cncf-kubernetes
### Versions of Apache Airflow Providers
apache-airflow-providers-amazon==9.29.0
apache-airflow-providers-celery==3.20.0
apache-airflow-providers-cncf-kubernetes==10.17.1
apache-airflow-providers-common-compat==1.15.0
apache-airflow-providers-common-io==1.7.2
apache-airflow-providers-common-messaging==2.0.3
apache-airflow-providers-common-sql==2.0.0
apache-airflow-providers-docker==4.5.6
apache-airflow-providers-elasticsearch==6.5.4
apache-airflow-providers-fab==3.6.4
apache-airflow-providers-ftp==3.15.0
apache-airflow-providers-git==0.4.0
apache-airflow-providers-google==22.0.0
apache-airflow-providers-grpc==3.9.4
apache-airflow-providers-hashicorp==4.6.0
apache-airflow-providers-http==6.0.2
apache-airflow-providers-microsoft-azure==13.3.0
apache-airflow-providers-mysql==6.6.0
apache-airflow-providers-odbc==4.12.2
apache-airflow-providers-openlineage==2.17.0
apache-airflow-providers-postgres==6.7.0
apache-airflow-providers-redis==4.4.4
apache-airflow-providers-sendgrid==4.2.3
apache-airflow-providers-sftp==5.8.0
apache-airflow-providers-slack==9.10.0
apache-airflow-providers-smtp==3.0.1
apache-airflow-providers-snowflake==6.13.0
apache-airflow-providers-ssh==5.0.2
apache-airflow-providers-standard==1.13.1
### Official Helm Chart version
1.21.0
### Kubernetes Version
It happens on Helm chart and running Airflow docker image in standalone mode
### Helm Chart configuration
Not applicable because it happens when testing it locally via docker compose
or using airflow docker image in standalone mode.
### Docker Image customizations
_No response_
### Anything else?
Always when using KubernetesPodOperator
### Are you willing to submit PR?
- [x] Yes I am willing to submit a PR!
### Code of Conduct
- [x] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]