Skip to content

Commit 7b11d6c

Browse files
aadhar-agarwalaadhar-agarwal
committed
fix: sanitize error before gRPC return to prevent credential leak in pod events
PR containerd#12491 fixed credential leaks in containerd logs but the gRPC error returned to kubelet still contained sensitive information. This was visible in Kubernetes pod events via `kubectl describe pod`. The issue was that SanitizeError was called inside the defer block, but errgrpc.ToGRPC(err) was evaluated before the defer ran, so the gRPC message contained the original unsanitized error. Move SanitizeError before the return statement so both the logged error and the gRPC error are sanitized. Ref: containerd#5453 Signed-off-by: Aadhar Agarwal <[email protected]>
1 parent 6a0a7e3 commit 7b11d6c

1 file changed

Lines changed: 16 additions & 8 deletions

File tree

internal/cri/instrument/instrumented_service.go

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -354,8 +354,6 @@ func (in *instrumentedService) PullImage(ctx context.Context, r *runtime.PullIma
354354
log.G(ctx).Infof("PullImage %q", r.GetImage().GetImage())
355355
defer func() {
356356
if err != nil {
357-
// Sanitize error to remove sensitive information
358-
err = ctrdutil.SanitizeError(err)
359357
log.G(ctx).WithError(err).Errorf("PullImage %q failed", r.GetImage().GetImage())
360358
} else {
361359
log.G(ctx).Infof("PullImage %q returns image reference %q",
@@ -364,6 +362,10 @@ func (in *instrumentedService) PullImage(ctx context.Context, r *runtime.PullIma
364362
span.RecordError(err)
365363
}()
366364
res, err = in.c.PullImage(ctrdutil.WithNamespace(ctx), r)
365+
// Sanitize error to remove sensitive information from both logs and returned gRPC error
366+
if err != nil {
367+
err = ctrdutil.SanitizeError(err)
368+
}
367369
return res, errgrpc.ToGRPC(err)
368370
}
369371

@@ -374,15 +376,17 @@ func (in *instrumentedService) ListImages(ctx context.Context, r *runtime.ListIm
374376
log.G(ctx).Tracef("ListImages with filter %+v", r.GetFilter())
375377
defer func() {
376378
if err != nil {
377-
// Sanitize error to remove sensitive information
378-
err = ctrdutil.SanitizeError(err)
379379
log.G(ctx).WithError(err).Errorf("ListImages with filter %+v failed", r.GetFilter())
380380
} else {
381381
log.G(ctx).Tracef("ListImages with filter %+v returns image list %+v",
382382
r.GetFilter(), res.GetImages())
383383
}
384384
}()
385385
res, err = in.c.ListImages(ctrdutil.WithNamespace(ctx), r)
386+
// Sanitize error to remove sensitive information from both logs and returned gRPC error
387+
if err != nil {
388+
err = ctrdutil.SanitizeError(err)
389+
}
386390
return res, errgrpc.ToGRPC(err)
387391
}
388392

@@ -393,15 +397,17 @@ func (in *instrumentedService) ImageStatus(ctx context.Context, r *runtime.Image
393397
log.G(ctx).Tracef("ImageStatus for %q", r.GetImage().GetImage())
394398
defer func() {
395399
if err != nil {
396-
// Sanitize error to remove sensitive information
397-
err = ctrdutil.SanitizeError(err)
398400
log.G(ctx).WithError(err).Errorf("ImageStatus for %q failed", r.GetImage().GetImage())
399401
} else {
400402
log.G(ctx).Tracef("ImageStatus for %q returns image status %+v",
401403
r.GetImage().GetImage(), res.GetImage())
402404
}
403405
}()
404406
res, err = in.c.ImageStatus(ctrdutil.WithNamespace(ctx), r)
407+
// Sanitize error to remove sensitive information from both logs and returned gRPC error
408+
if err != nil {
409+
err = ctrdutil.SanitizeError(err)
410+
}
405411
return res, errgrpc.ToGRPC(err)
406412
}
407413

@@ -413,15 +419,17 @@ func (in *instrumentedService) RemoveImage(ctx context.Context, r *runtime.Remov
413419
log.G(ctx).Infof("RemoveImage %q", r.GetImage().GetImage())
414420
defer func() {
415421
if err != nil {
416-
// Sanitize error to remove sensitive information
417-
err = ctrdutil.SanitizeError(err)
418422
log.G(ctx).WithError(err).Errorf("RemoveImage %q failed", r.GetImage().GetImage())
419423
} else {
420424
log.G(ctx).Infof("RemoveImage %q returns successfully", r.GetImage().GetImage())
421425
}
422426
span.RecordError(err)
423427
}()
424428
res, err := in.c.RemoveImage(ctrdutil.WithNamespace(ctx), r)
429+
// Sanitize error to remove sensitive information from both logs and returned gRPC error
430+
if err != nil {
431+
err = ctrdutil.SanitizeError(err)
432+
}
425433
return res, errgrpc.ToGRPC(err)
426434
}
427435

0 commit comments

Comments
 (0)