Error messages returned from registries should hide sensitive information

[CezarManea]

Description
Error messages returned from registries should hide sensitive information.

Registries sometimes return a body with an error which contains useful information, but also sensitive data. For example in a setup with a private docker registry with S3 Storage the error on timeout contains full signed URL that can be used to download data that might be restricted. This only can be done during the signed URL timeout (1200s).

Steps to reproduce the issue:

1. Setup a private docker registry with S3 Storage
2. Setup a Kubernetes cluster with containerd
3. Set imagePullSecrets of pods with secret credentials for the private registry
4. In the event of a timeout the error contains full signed URL

Describe the results you received:
Kubernetes event on pod contains the following error
Warning Failed 3m36s kubelet Failed to pull image "my-private-registry.io/default/nginx:latest": rpc error: code = Unknown desc = failed to pull and unpack image "my-private-registry.io/default/nginx:latest": failed to copy: httpReaderSeeker: failed open: failed to do request: Get https://s3-endpoint/docker-hub/docker/registry/v2/blobs/sha256/79/7...dsdasdas/data?X-Amz-Algorithm=PLAIN_TEXT&X-Amz-Credential=PLAIN_TEXT&X-Amz-Date=PLAIN_TEXT&X-Amz-Expires=1200&X-Amz-SignedHeaders=host&X-Amz-Signature=PLAIN_TEXT: net/http: TLS handshake timeout

Describe the results you expected:
The error to hide sensitive information
Warning Failed 3m36s kubelet Failed to pull image "my-private-registry.io/default/nginx:latest": rpc error: code = Unknown desc = failed to pull and unpack image "my-private-registry.io/default/nginx:latest": failed to copy: httpReaderSeeker: failed open: failed to do request: Get https://s3-endpoint/docker-hub/docker/registry/v2/blobs/sha256/79/7...dsdasdas/data?X-Amz-Algorithm=REDACTED&X-Amz-Credential=REDACTED&X-Amz-Date=REDACTED&X-Amz-Expires=1200&X-Amz-SignedHeaders=host&X-Amz-Signature=REDACTED: net/http: TLS handshake timeout

What version of containerd are you using:

 Container Runtime Version:  containerd://1.4.3

[kzys]

While I can agree, it is not straightforward to implement. We could redact a URL, assuming it would contain sensitive information, but it would make troubleshooting harder.

[northtyphoon]

Considering containerd is widely adopted and running on the production environment, exposing the credential (even it's a short-living token) in log is a real problem as all companies put the security as the top priority. Is it reasonable to make a tradeoff here to mask the query parameter to address the security concern?

[cpuguy83]

I guess we could intercept errors we are sending back to cri clients, see if contains a url.Error, check if said error contains a redacted value and use that to scrub the content we send to the client.