Report Submission Form
When create k8s cluster over vsphere and enable vsphere as cloud provider. With logging level set to 4 or above, secret information will be printed out in the cloud controller manager’s log.
1.18.6
legacy cloud provider
[add details for how we can reproduce the issue, including relevant cluster setup and configuration]
[list any additional material (e.g. screenshots, logs, etc.)]
Source codes that print out the secret info:
https://github.com/kubernetes/kubernetes/blob/6d0f4749a59099171540d4fd7c9523b029e71ceb/staging/src/k8s.io/legacy-cloud-providers/vsphere/vsphere.go#L1503
Calling code path:
1.cmd/kube-controller-manager/app/controllermanager.go -> Run()
2.cmd/kube-controller-manager/app/controllermanager.go -> CreateControllerContext()
3. cmd/kube-controller-manager/app/cloudproviders.go -> createCloudProvider()
4. vendor/k8s.io/cloud-provider/cloud.go ->SetInformers()
5. staging/src/k8s.io/legacy-cloud-providers/vsphere/vsphere.go -> func (vs *VSphere) SetInformers(informerFactory informers.SharedInformerFactory)
If any kubernetes users or service accounts has privileges (e.g. GET pods/log in the kube-system namespace), he will be able to view all the secrets data when a secret is created or updated which may contain sensitive data such as password or private key. Further, is the secret is a service account token, then the user may escalate his privileges.