-
Notifications
You must be signed in to change notification settings - Fork 39.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
filter lastAppliedConfig annotation for describe secret #34664
filter lastAppliedConfig annotation for describe secret #34664
Conversation
7cf00f5
to
13fa69b
Compare
13fa69b
to
82e2d00
Compare
@brendandburns Rebased. PTAL |
@fabianofranz Reassigned to you. LMK if you don't have time. |
pkg/kubectl/describe.go
Outdated
@@ -1380,7 +1381,8 @@ func describeSecret(secret *api.Secret) (string, error) { | |||
fmt.Fprintf(out, "Name:\t%s\n", secret.Name) | |||
fmt.Fprintf(out, "Namespace:\t%s\n", secret.Namespace) | |||
printLabelsMultiline(out, "Labels", secret.Labels) | |||
printLabelsMultiline(out, "Annotations", secret.Annotations) | |||
filterMap := map[string]bool{annotations.LastAppliedConfigAnnotation: true} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a nit, name it (here and in method arg) as something that makes it clear what the bool
means, e.g. skipMap
or skipAnnotations
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
82e2d00
to
bd9e4f8
Compare
@fabianofranz PTAL |
@kubernetes/kubectl @lavalamp PTAL at the proposed strategy since there was some debate in the original issue. This fixes |
Any update? |
@deads2k @lavalamp comments? Trying to figure out if we should go on with this, or not consider an issue based on #23564 (comment). |
Avoiding printing a field in |
I agree, I don't think we should do this. @pwittrock's call, I guess. |
@andronat @lavalamp kubectl already hides the secret value field in describe, but just missed the value stored in the annotation. IMHO we should be consistent w.r.t whether or not we hide the secret body in describe. This wasn't intended as a general fix to access control of secret data, but instead to make the implementation of kubectl describe secret match the original intent - which is don't print the body of the secret data to a user's console when it is returned by the server. I don't think this is really urgent. I plan to revisit in a few days. |
bd9e4f8
to
f6ef8b1
Compare
Addressed comments. PTAL |
f6ef8b1
to
aadcd9b
Compare
/lgtm |
LGTM. Will add the approval label. |
/approve |
@adohe @pwittrock Any idea why |
@ymqytw could be the case sensitivity problem? my id is AdoHe |
/approved |
@adohe Missing a 'd': |
Hm, maybe I am wrong. |
/approve |
@apelisse Approval doesn't seem to be working :( |
[APPROVALNOTIFIER] This PR is APPROVED The following people have approved this PR: AdoHe, pwittrock, ymqytw Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
@k8s-bot cvm gce e2e test this |
@k8s-bot cri e2e test this |
@k8s-bot bazel test this |
@k8s-bot gce etcd3 e2e test this |
Automatic merge from submit-queue (batch tested with PRs 40505, 34664, 37036, 40726, 41595) |
Temporarily addresses: #23564.
This patch filters out the lastAppliedConfig annotation when describing a secret.
This change is