ALB pod logs show credentials in plain text #1227

darleilopes · 2020-04-16T20:54:52Z

We found in our service that the log of ALB controller pod show the credentials in plain text:

kubectl -n kube-system logs alb-controller-757b79b8c5-v44gd  --since 30m -f

...
I0416 15:42:15.529115       1 controller.go:236] kubebuilder/controller "level"=1 "msg"="Successfully Reconciled"  "controller"="alb-ingress-controller" "request"={"Namespace":"pipelines","Name":"dashboard"}
I0416 15:42:15.899854       1 listener.go:236] pipelines/dashboard: Auto-detected and added 1 certificates to listener
I0416 15:42:15.899977       1 log.go:30] pipelines/dashboard: listener defaultActions needs modification: [{
I0416 15:42:15.899984       1 log.go:30] pipelines/dashboard:     FixedResponseConfig: {
I0416 15:42:15.899987       1 log.go:30] pipelines/dashboard:       ContentType: "text/plain",
I0416 15:42:15.899990       1 log.go:30] pipelines/dashboard:       StatusCode: "404"
I0416 15:42:15.899993       1 log.go:30] pipelines/dashboard:     },
I0416 15:42:15.899996       1 log.go:30] pipelines/dashboard:     Order: 2,
I0416 15:42:15.899999       1 log.go:30] pipelines/dashboard:     Type: "fixed-response"
I0416 15:42:15.900002       1 log.go:30] pipelines/dashboard:   },{
I0416 15:42:15.900005       1 log.go:30] pipelines/dashboard:     AuthenticateOidcConfig: {
I0416 15:42:15.900008       1 log.go:30] pipelines/dashboard:       AuthenticationRequestExtraParams: {
I0416 15:42:15.900010       1 log.go:30] pipelines/dashboard: 
I0416 15:42:15.900013       1 log.go:30] pipelines/dashboard:       },
I0416 15:42:15.900016       1 log.go:30] pipelines/dashboard:       AuthorizationEndpoint: "https://company.okta.com/oauth2/default/v1/authorize",
I0416 15:42:15.900019       1 log.go:30] pipelines/dashboard:       ClientId: "0oa1ik4j1of9YfoD30h8",
I0416 15:42:15.900022       1 log.go:30] pipelines/dashboard:       Issuer: "https://company.okta.com/oauth2/default",
I0416 15:42:15.900026       1 log.go:30] pipelines/dashboard:       OnUnauthenticatedRequest: "authenticate",
I0416 15:42:15.900028       1 log.go:30] pipelines/dashboard:       Scope: "openid",
I0416 15:42:15.900031       1 log.go:30] pipelines/dashboard:       SessionCookieName: "company-dashboard",
I0416 15:42:15.900035       1 log.go:30] pipelines/dashboard:       SessionTimeout: 28800,
I0416 15:42:15.900038       1 log.go:30] pipelines/dashboard:       TokenEndpoint: "https://company.okta.com/oauth2/default/v1/token",
I0416 15:42:15.900041       1 log.go:30] pipelines/dashboard:       UserInfoEndpoint: "https://company.okta.com/oauth2/default/v1/userinfo"
I0416 15:42:15.900043       1 log.go:30] pipelines/dashboard:     },
I0416 15:42:15.900046       1 log.go:30] pipelines/dashboard:     Order: 1,
I0416 15:42:15.900049       1 log.go:30] pipelines/dashboard:     Type: "authenticate-oidc"
I0416 15:42:15.900052       1 log.go:30] pipelines/dashboard:   }] => [{
I0416 15:42:15.900055       1 log.go:30] pipelines/dashboard:     AuthenticateOidcConfig: {
I0416 15:42:15.900057       1 log.go:30] pipelines/dashboard:       AuthenticationRequestExtraParams: {
I0416 15:42:15.900060       1 log.go:30] pipelines/dashboard: 
I0416 15:42:15.900063       1 log.go:30] pipelines/dashboard:       },
I0416 15:42:15.900065       1 log.go:30] pipelines/dashboard:       AuthorizationEndpoint: "https://company.okta.com/oauth2/default/v1/authorize",
I0416 15:42:15.900068       1 log.go:30] pipelines/dashboard:       ClientId: "<HERE SHOW THE CREDENTIAL>",
I0416 15:42:15.900071       1 log.go:30] pipelines/dashboard:       ClientSecret: "<HERE SHOW THE CREDENTIAL>",
I0416 15:42:15.900074       1 log.go:30] pipelines/dashboard:       Issuer: "https://company.okta.com/oauth2/default",
I0416 15:42:15.900077       1 log.go:30] pipelines/dashboard:       OnUnauthenticatedRequest: "authenticate",
I0416 15:42:15.900080       1 log.go:30] pipelines/dashboard:       Scope: "openid",
I0416 15:42:15.900082       1 log.go:30] pipelines/dashboard:       SessionCookieName: "company-dashboard",
I0416 15:42:15.900085       1 log.go:30] pipelines/dashboard:       SessionTimeout: 28800,
I0416 15:42:15.900088       1 log.go:30] pipelines/dashboard:       TokenEndpoint: "https://company.okta.com/oauth2/default/v1/token",
I0416 15:42:15.900091       1 log.go:30] pipelines/dashboard:       UserInfoEndpoint: "https://company.okta.com/oauth2/default/v1/userinfo"
I0416 15:42:15.900093       1 log.go:30] pipelines/dashboard:     },
I0416 15:42:15.900096       1 log.go:30] pipelines/dashboard:     Order: 1,
I0416 15:42:15.900099       1 log.go:30] pipelines/dashboard:     Type: "authenticate-oidc"
I0416 15:42:15.900102       1 log.go:30] pipelines/dashboard:   },{
I0416 15:42:15.900104       1 log.go:30] pipelines/dashboard:     FixedResponseConfig: {
I0416 15:42:15.900107       1 log.go:30] pipelines/dashboard:       ContentType: "text/plain",
I0416 15:42:15.900110       1 log.go:30] pipelines/dashboard:       StatusCode: "404"
I0416 15:42:15.900113       1 log.go:30] pipelines/dashboard:     },
I0416 15:42:15.900116       1 log.go:30] pipelines/dashboard:     Order: 2,
I0416 15:42:15.900118       1 log.go:30] pipelines/dashboard:     Type: "fixed-response"
I0416 15:42:15.900121       1 log.go:30] pipelines/dashboard:   }]
...

M00nF1sh · 2020-04-18T02:51:27Z

Hi, thanks for reporting this.
To temporarily mitigate this issue, you can set "-v=1" at controller's flags.

Will cut a new release with fix today.

M00nF1sh mentioned this issue Apr 18, 2020

redact oidc #1228

Merged

M00nF1sh closed this as completed in #1228 Apr 18, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ALB pod logs show credentials in plain text #1227

ALB pod logs show credentials in plain text #1227

darleilopes commented Apr 16, 2020

M00nF1sh commented Apr 18, 2020

ALB pod logs show credentials in plain text #1227

ALB pod logs show credentials in plain text #1227

Comments

darleilopes commented Apr 16, 2020

M00nF1sh commented Apr 18, 2020