[
https://issues.apache.org/jira/browse/FLINK-30306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17643485#comment-17643485
]
Alexis Sarda-Espinosa edited comment on FLINK-30306 at 12/5/22 6:05 PM:
------------------------------------------------------------------------
In my case, there are some passwords that we encrypt and are then injected by
Argo CD into the {{FlinkDeployment}} resource, and I can see them in the
{{AuditUtils}} logs. Moreover, we forward logs from containers to other
infrastructure to facilitate searching, so even though that remains internal,
it increases the "exposed area"; if someone could access the searchable logs,
that doesn't mean they have access to the Kubernetes cluster.
was (Author: asardaes):
In my case, there are some passwords that we encrypt and are then injected by
Argo CD, and I can see them in the {{AuditUtils}} logs. Moreover, we forward
logs from containers to other infrastructure to facilitate searching, so even
though that remains internal, it increases the "exposed area"; if someone could
access the searchable logs, that doesn't mean they have access to the
Kubernetes cluster.
> Audit utils can expose potentially sensitive information
> --------------------------------------------------------
>
> Key: FLINK-30306
> URL: https://issues.apache.org/jira/browse/FLINK-30306
> Project: Flink
> Issue Type: Bug
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-1.2.0
> Reporter: Alexis Sarda-Espinosa
> Priority: Major
>
> I see events being logged by
> {{org.apache.flink.kubernetes.operator.listener.AuditUtils}} along the lines
> of ">>> Event | Info | SPECCHANGED | UPGRADE change(s) detected".
> This logs the entire new spec, which can contain sensitive information that
> has been injected from a Kubernetes secret.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
