Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-10896

Redact kubernetes secrets from logs

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Description of problem:

      Kubernetes service account tokens mounted inside pods (e.g. /var/run/secrets/kubernetes.io/serviceaccount/) are not automatically redacted from Tekton pipeline logs.

      When running tkn pr logs, verbose Bash logging (enabled by default in Konflux workflows) may print sensitive data early in the workflow execution. Since service account tokens are valid for the lifetime of the pod, exposing them in logs could allow misuse while the workflow is still active.

      This is particularly concerning in shared log aggregation systems where multiple users may have access to logs.

      Workaround

      • Avoid enabling verbose Bash logging (set -x) in steps that may access service account tokens.
      • Manually ensure secrets are not echoed to stdout/stderr.
      • Restrict log access where possible until redaction is implemented.

      Prerequisites (if any, like setup, operators/versions):

      • Konflux CI environment
      • Tekton Pipelines installed
      • PipelineRun executed with default service account
      • Default service account token mounted at: /var/run/secrets/kubernetes.io/serviceaccount/token
      • Verbose Bash logging enabled (e.g. set -x)

      Steps to Reproduce

      Create a PipelineRun in Konflux using a default service account.
      Add a step that enables verbose Bash logging (set -x).
      Access or print content from /var/run/secrets/kubernetes.io/serviceaccount/token.
      Run tkn pr logs <pipeline-run-name>.
      Observe logs output.

      Actual results:

      Service account token contents (or other mounted secret data) appear in the logs and are not redacted.

      Expected results:

      Any content originating from Kubernetes-mounted secrets (including service account tokens) should be automatically redacted before being stored or displayed via tkn pr logs or log aggregation systems.

      Reproducibility (Always/Intermittent/Only Once):

      Always (when verbose logging prints secret content).

      Acceptance criteria:

      Log aggregation layer automatically redacts:

      1. Service account tokens
      2. Any data originating from /var/run/secrets/kubernetes.io/serviceaccount/
      3. Redaction occurs before logs are persisted or displayed.
      4. tkn pr logs output does not expose secret values.
      5. Add automated test verifying secret redaction in logs.
      6. No regression in log visibility for non-sensitive output.

      Definition of Done:
      Redaction mechanism implemented in Konflux log aggregation layer (or upstream if applicable).
      Linked upstream PR (if required).
      Unit/integration test added.
      Security review completed.
      Verified in staging environment.
      Internal refinement discussion completed.

      * Build Details:*

      Konflux CI (current version)
      Tekton Pipelines (current deployed version)

      Slack: https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1771799654035239

      Additional info (Such as Logs, Screenshots, etc):

      Example log snippet showing exposed token (redacted manually before attaching to JIRA).
      Reference to upstream PR (to be linked).
      Security impact: potential token misuse during active pod lifecycle.

              Unassigned Unassigned
              rh-ee-anataraj Anitha Natarajan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: