Skip to content

Commit cb3ae21

Browse files
aadhar-agarwalk8s-infra-cherrypick-robot
aadhar-agarwal
authored and
k8s-infra-cherrypick-robot
committed
fix: sanitize error before gRPC return to prevent credential leak in pod events
PR #12491 fixed credential leaks in containerd logs but the gRPC error returned to kubelet still contained sensitive information. This was visible in Kubernetes pod events via `kubectl describe pod`. The issue was that SanitizeError was called inside the defer block, but errgrpc.ToGRPC(err) was evaluated before the defer ran, so the gRPC message contained the original unsanitized error. Move SanitizeError before the return statement so both the logged error and the gRPC error are sanitized. Ref: #5453 Signed-off-by: Aadhar Agarwal <[email protected]>
1 parent 0778056 commit cb3ae21

1 file changed

Lines changed: 16 additions & 8 deletions

File tree

internal/cri/instrument/instrumented_service.go

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -355,8 +355,6 @@ func (in *instrumentedService) PullImage(ctx context.Context, r *runtime.PullIma
355355
log.G(ctx).Infof("PullImage %q", r.GetImage().GetImage())
356356
defer func() {
357357
if err != nil {
358-
// Sanitize error to remove sensitive information
359-
err = ctrdutil.SanitizeError(err)
360358
log.G(ctx).WithError(err).Errorf("PullImage %q failed", r.GetImage().GetImage())
361359
} else {
362360
log.G(ctx).Infof("PullImage %q returns image reference %q",
@@ -365,6 +363,10 @@ func (in *instrumentedService) PullImage(ctx context.Context, r *runtime.PullIma
365363
span.RecordError(err)
366364
}()
367365
res, err = in.c.PullImage(ctrdutil.WithNamespace(ctx), r)
366+
// Sanitize error to remove sensitive information from both logs and returned gRPC error
367+
if err != nil {
368+
err = ctrdutil.SanitizeError(err)
369+
}
368370
return res, errgrpc.ToGRPC(err)
369371
}
370372

@@ -375,15 +377,17 @@ func (in *instrumentedService) ListImages(ctx context.Context, r *runtime.ListIm
375377
log.G(ctx).Tracef("ListImages with filter %+v", r.GetFilter())
376378
defer func() {
377379
if err != nil {
378-
// Sanitize error to remove sensitive information
379-
err = ctrdutil.SanitizeError(err)
380380
log.G(ctx).WithError(err).Errorf("ListImages with filter %+v failed", r.GetFilter())
381381
} else {
382382
log.G(ctx).Tracef("ListImages with filter %+v returns image list %+v",
383383
r.GetFilter(), res.GetImages())
384384
}
385385
}()
386386
res, err = in.c.ListImages(ctrdutil.WithNamespace(ctx), r)
387+
// Sanitize error to remove sensitive information from both logs and returned gRPC error
388+
if err != nil {
389+
err = ctrdutil.SanitizeError(err)
390+
}
387391
return res, errgrpc.ToGRPC(err)
388392
}
389393

@@ -394,15 +398,17 @@ func (in *instrumentedService) ImageStatus(ctx context.Context, r *runtime.Image
394398
log.G(ctx).Tracef("ImageStatus for %q", r.GetImage().GetImage())
395399
defer func() {
396400
if err != nil {
397-
// Sanitize error to remove sensitive information
398-
err = ctrdutil.SanitizeError(err)
399401
log.G(ctx).WithError(err).Errorf("ImageStatus for %q failed", r.GetImage().GetImage())
400402
} else {
401403
log.G(ctx).Tracef("ImageStatus for %q returns image status %+v",
402404
r.GetImage().GetImage(), res.GetImage())
403405
}
404406
}()
405407
res, err = in.c.ImageStatus(ctrdutil.WithNamespace(ctx), r)
408+
// Sanitize error to remove sensitive information from both logs and returned gRPC error
409+
if err != nil {
410+
err = ctrdutil.SanitizeError(err)
411+
}
406412
return res, errgrpc.ToGRPC(err)
407413
}
408414

@@ -414,15 +420,17 @@ func (in *instrumentedService) RemoveImage(ctx context.Context, r *runtime.Remov
414420
log.G(ctx).Infof("RemoveImage %q", r.GetImage().GetImage())
415421
defer func() {
416422
if err != nil {
417-
// Sanitize error to remove sensitive information
418-
err = ctrdutil.SanitizeError(err)
419423
log.G(ctx).WithError(err).Errorf("RemoveImage %q failed", r.GetImage().GetImage())
420424
} else {
421425
log.G(ctx).Infof("RemoveImage %q returns successfully", r.GetImage().GetImage())
422426
}
423427
span.RecordError(err)
424428
}()
425429
res, err := in.c.RemoveImage(ctrdutil.WithNamespace(ctx), r)
430+
// Sanitize error to remove sensitive information from both logs and returned gRPC error
431+
if err != nil {
432+
err = ctrdutil.SanitizeError(err)
433+
}
426434
return res, errgrpc.ToGRPC(err)
427435
}
428436

0 commit comments

Comments
 (0)