kata.genpolicy: never log already existing policy annotation

edgelesssys · Dec 9, 2024 · 637bf99 · 637bf99
1 parent 631d474
commit 637bf99
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 0 deletions.
diff --git a/...ages/by-name/kata/kata-runtime/0018-genpolicy-do-not-log-policy-annotation-in-debug.patch b/...ages/by-name/kata/kata-runtime/0018-genpolicy-do-not-log-policy-annotation-in-debug.patch
@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: jmxnzo <[email protected]>
+Date: Mon, 9 Dec 2024 15:26:56 +0100
+Subject: [PATCH] genpolicy: do not log policy annotation in debug
+
+---
+ src/tools/genpolicy/src/obj_meta.rs | 39 ++++++++++++++++++++++++++++-
+ 1 file changed, 38 insertions(+), 1 deletion(-)
+
+diff --git a/src/tools/genpolicy/src/obj_meta.rs b/src/tools/genpolicy/src/obj_meta.rs
+index 3da75fc0ff67068af04ea98a6dfdc6989961e17c..d56545f8dc538b3660b0d75086aeb0ca802dd638 100644
+--- a/src/tools/genpolicy/src/obj_meta.rs
++++ b/src/tools/genpolicy/src/obj_meta.rs
+@@ -8,9 +8,10 @@
+
+ use serde::{Deserialize, Serialize};
+ use std::collections::BTreeMap;
++use std::fmt;
+
+ /// See ObjectMeta in the Kubernetes API reference.
+-#[derive(Clone, Debug, Default, Serialize, Deserialize)]
++#[derive(Clone, Default, Serialize, Deserialize)]
+ pub struct ObjectMeta {
+     #[serde(skip_serializing_if = "Option::is_none")]
+     pub name: Option<String>,
+@@ -43,3 +44,39 @@ impl ObjectMeta {
+         self.namespace.as_ref().cloned()
+     }
+ }
++
++
++impl fmt::Debug for ObjectMeta {
++    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
++        let mut debug_struct = f.debug_struct("ObjectMeta");
++
++        if let Some(ref name) = self.name {
++            debug_struct.field("name", name);
++        }
++        if let Some(ref generate_name) = self.generateName {
++            debug_struct.field("generateName", generate_name);
++        }
++        if let Some(ref labels) = self.labels {
++            debug_struct.field("labels", labels);
++        }
++        if let Some(ref annotations) = self.annotations {
++            // Process annotations: redact values longer than 100 characters
++            let redacted_annotations: BTreeMap<_, _> = annotations
++                .iter()
++                .map(|(key, value)| {
++                    if value.len() > 100 {
++                        (key.clone(), "<redacted annotation>".to_string())
++                    } else {
++                        (key.clone(), value.clone())
++                    }
++                })
++                .collect();
++            debug_struct.field("annotations", &redacted_annotations);
++        }
++        if let Some(ref namespace) = self.namespace {
++            debug_struct.field("namespace", namespace);
++        }
++
++        debug_struct.finish()
++    }
++}
diff --git a/packages/by-name/kata/kata-runtime/package.nix b/packages/by-name/kata/kata-runtime/package.nix
@@ -102,6 +102,11 @@ buildGoModule rec {
       # No upstream patch available, changes first need to be discussed with Kata maintainers.
       # See https://katacontainers.slack.com/archives/C879ACQ00/p1731928491942299
       ./0017-runtime-allow-initrd-AND-image-to-be-set.patch
+
+      # Simple genpolicy logging redaction of the policy annotation
+      # This avoids printing the entire annotation on log level debug, which resulted in errors of the logtranslator.go
+      # TODO(jmxnzo): 
+      ./0018-genpolicy-do-not-log-policy-annotation-in-debug.patch
     ];
   };