KubernetesTask
KubernetesTask copied to clipboard
TsuyoshiUshio
Encrypt/Remove kubeconfig secrets from build output
When you use the general 2.x task it outputs the entire contents of the kubeconfig file to the build log/output in VSTS. We should not have this for security reasons.
1.x is the same. Let's encode the kubecnfig file into Base64. Then it will be solved. See 5.1. Create an endopint on the README. :)
I imagine there is a way to either:
- Encrypt the contents of kube config since Base64 can easily be decoded: http://www.hashemian.com/tools/base64-encode-decode.php --> "Base64 decoding employs a reverse algorithm to yield the original content. While Base64 encoding alters the original content, it is not suitable as an encryption mechanism as it can be easily decoded to reveal the original content." or
- Remove the output of the kube config from the build log.
Do you know which line is causing the output to get written?
On Mon, Jun 12, 2017 at 9:09 AM, David Tesar [email protected] wrote:
I imagine there is a way to either:
- Encrypt the contents of kube config since Base64 can easily be decoded: http://www.hashemian.com/tools/base64-encode-decode.php --> "Base64 decoding employs a reverse algorithm to yield the original content. While Base64 encoding alters the original content, it is not suitable as an encryption mechanism as it can be easily decoded to reveal the original content." or
- Remove the output of the kube config from the build log.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/TsuyoshiUshio/KubernetesTask/issues/15#issuecomment-307837229, or mute the thread https://github.com/notifications/unsubscribe-auth/ADQphdpjwCE4sG4yziroMzidOu2mFbipks5sDWKhgaJpZM4Npc9r .
-- Rakesh Kelkar
Not sure - somewhere here https://github.com/TsuyoshiUshio/KubernetesTask/blob/master/kubectl.ts I imagine with the kubeconfig.
Yeah it's strange.. I think the agent framework is printing it.. I've started a thread with them to figure it out.
On Jun 13, 2017 12:50 PM, "David Tesar" [email protected] wrote:
Not sure - somewhere here https://github.com/TsuyoshiUshio/KubernetesTask/ blob/master/kubectl.ts I imagine with the kubeconfig.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/TsuyoshiUshio/KubernetesTask/issues/15#issuecomment-308228484, or mute the thread https://github.com/notifications/unsubscribe-auth/ADQphRBX-ln9HaydDqxTlgIEso5n47pYks5sDugUgaJpZM4Npc9r .
I don't know why. But I realised that if you have multiple lines of the parameter, vsts prints from the second line. VSTS doesn't print the first line. I should report to the VSTS production team about it.
The log is automatically out. https://github.com/TsuyoshiUshio/KubernetesTask/blob/master/kubectl.ts#L31
@dtzar It seems automatically printout when I use this.
this.kubeconfig = tl.getEndpointAuthorizationParameter(this.endpoint, 'kubeconfig', true);
I can't avoid it. However, this line smells. I'll investigate it.
https://github.com/Microsoft/vsts-task-lib/blob/master/node/task.ts#L364