1# Copyright 2015 The Kubernetes Authors.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15# This file holds configuration for taint propagation analysis of Kubernetes source via go-flow-levee.
16# It defines sources which may contain credentials and sinks where these should not be logged.
17# Sources may be identified by the FieldTags element, or by matching package, type, and field explicitly in the Sources element.
18# Sanitizers permit sources to safely reach a sink.
19# False positives may be suppressed in the Exclude block.
20# Note that `*RE` keys have regexp values.
21
22# For additional details, see KEP-1933.
23---
24
25# These field tags were introduced by KEP-1753 to indicate fields which may contain credentials
26FieldTags:
27  - Key: "datapolicy"
28    Value: "security-key"
29  - Key: "datapolicy"
30    Value: "token"
31  - Key: "datapolicy"
32    Value: "password"
33
34# This preliminary collection of source types should be removed once
35# KEP-1753 adds tags to the relevant fields.
36Sources:
37# The following fields are tagged in #95994
38- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere"
39  TypeRE: "Config"
40  FieldRE: "Password"
41- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere"
42  TypeRE: "ConfigFile"
43  FieldRE: "Global"  # Global is of unnamed type, contains the field Password.
44
45# The following fields are tagged in #95997
46- PackageRE: "k8s.io/kubelet/config/v1beta1"
47  TypeRE: "KubeletConfiguration"
48  FieldRE: "StaticPodURLHeader"
49
50# The following fields are tagged in #95998
51- PackageRE: "k8s.io/kube-scheduler/config/v1"
52  TypeRE: "ExtenderTLSConfig"
53  FieldRE: "KeyData"
54
55# The following fields are tagged in #95600
56- PackageRE: "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
57  TypeRE: "AuthConfig"
58  FieldRE: "Password|IdentityToken|RegistryToken"
59
60# The following fields are tagged in #96002
61- PackageRE: "k8s.io/apiserver/pkg/apis/apiserver" # multiple versions
62  TypeRE: "TLSConfig"
63  FieldRE: "ClientKey"
64- PackageRE: "k8s.io/apiserver/pkg/apis/config" # multiple versions
65  TypeRE: "Key"
66  FieldRE: "Secret"
67- PackageRE: "k8s.io/apiserver/pkg/authentication/request/headerrequest"
68  TypeRE: "requestHeaderBundle"
69  FieldRE: "UsernameHeaders|GroupHeaders"
70- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates"
71  TypeRE: "certKeyContent"
72  FieldRE: "key"
73- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates"
74  TypeRE: "DynamicCertKeyPairContent"
75  FieldRE: "certKeyPair"
76- PackageRE: "k8s.io/apiserver/pkg/server/options"
77  TypeRE: "RequestHeaderAuthenticationOptions"
78  FieldRE: "UsernameHeaders|GroupHeaders"
79- PackageRE: "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
80  TypeRE: "endpoint"
81  FieldRE: "AccessToken"
82
83# The following fields are tagged in #96003
84- PackageRE: "k8s.io/cli-runtime/pkg/genericclioptions"
85  TypeRE: "ConfigFlags"
86  FieldRE: "BearerToken|Password"
87
88# The following fields are tagged in #96004
89- PackageRE: "k8s.io/kubernetes/pkg/kubelet/apis/config"
90  TypeRE: "KubeletConfiguration"
91  FieldRE: "StaticPodURLHeader"
92- PackageRE: "k8s.io/kubernetes/pkg/kubelet/client"
93  TypeRE: "KubeletClientConfig"
94  FieldRE: "BearerToken"
95- PackageRE: "k8s.io/kubernetes/pkg/kubelet/cri/streaming"
96  TypeRE: "cacheEntry"
97  FieldRE: "token"
98
99# The following fields are tagged in #96005
100- PackageRE: "k8s.io/api/authentication/v1"
101  TypeRE: "TokenReviewSpec|TokenRequestStatus"
102  FieldRE: " Token"
103- PackageRE: "k8s.io/api/authentication/v1beta1"
104  TypeRE: "TokenReviewSpec"
105  FieldRE: " Token"
106
107# The following fields are tagged in #96007
108- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/azure"
109  TypeRE: "acrAuthResponse"
110  FieldRE: "RefreshToken"
111- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
112  TypeRE: "DockerConfigEntry"
113  FieldRE: "Password"
114- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
115  TypeRE: "DockerConfigJSON"
116  FieldRE: "Auths|HTTPHeaders"
117- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
118  TypeRE: "dockerConfigEntryWithAuth"
119  FieldRE: "Password|Auth"
120- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/gcp"
121  TypeRE: "tokenBlob"
122  FieldRE: "AccessToken"
123- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
124  TypeRE: "AuthConfig"
125  FieldRE: "Password|Auth|IdentityToken|RegistryToken"
126
127# The following fields are tagged in #96008
128- PackageRE: "k8s.io/kubernetes/pkg/controller/certificates/authority"
129  TypeRE: "CertificateAuthority"
130  FieldRE: "RawKey"
131
132# Sinks are functions that should not be called with source or source-tainted arguments.
133# This configuration should capture all log unfiltered log calls.
134Sinks:
135- PackageRE: "k?log"
136  # Empty regexp receiver will match both top-level klog functions and klog.Verbose methods.
137  ReceiverRE: ""
138  MethodRE: "Info|Warning|Error|Fatal|Exit"
139
140# Sanitizers permit a source to reach a sink by explicitly removing the source data.
141Sanitizers:
142# maskValue strips bearer tokens from request headers
143- PackageRE: "k8s.io/client-go/transport"
144  MethodRE: "maskValue"
145
146# False positives may be suppressed here.
147# Exclude reporting within a given function by specifying it similar to Sinks, i.e.,
148# PackageRE | ReceiverRE | MethodRE regexp
149Exclude:
150- PackageRE: "k8s.io/kubernetes/cmd/kubelet/app"
151  # Regexp matches anonymized inner function
152  MethodRE: "NewKubeletCommand"
153