Skip to content

[release/1.7] fix: sanitize error before gRPC return to prevent credential leak in pod events#12805

Merged
fuweid merged 1 commit into
containerd:release/1.7from
AkihiroSuda:cherrypick-12801-1.7
Jan 21, 2026
Merged

[release/1.7] fix: sanitize error before gRPC return to prevent credential leak in pod events#12805
fuweid merged 1 commit into
containerd:release/1.7from
AkihiroSuda:cherrypick-12801-1.7

Conversation

@AkihiroSuda

@AkihiroSuda AkihiroSuda commented Jan 21, 2026
edited by samuelkarp
Loading

Copy link
Copy Markdown
Member

Cherry-pick (not clean)

Sanitize error before gRPC return to prevent possible credential leak in pod events

@AkihiroSuda
fix: sanitize error before gRPC return to prevent credential leak in …
b1fa038 
…pod events

PR containerd#12491 fixed credential leaks in containerd logs but the gRPC error
returned to kubelet still contained sensitive information. This was
visible in Kubernetes pod events via `kubectl describe pod`.

The issue was that SanitizeError was called inside the defer block,
but errgrpc.ToGRPC(err) was evaluated before the defer ran, so the
gRPC message contained the original unsanitized error.

Move SanitizeError before the return statement so both the logged
error and the gRPC error are sanitized.

Ref: containerd#5453
Signed-off-by: Aadhar Agarwal <aadagarwal@microsoft.com>
(cherry picked from commit 7b11d6c)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@github-project-automation github-project-automation Bot moved this to Needs Triage in Pull Request Review Jan 21, 2026
@dosubot dosubot Bot added area/cri Container Runtime Interface (CRI) kind/bug labels Jan 21, 2026
@github-project-automation github-project-automation Bot moved this from Needs Triage to Review In Progress in Pull Request Review Jan 21, 2026
@fuweid fuweid merged commit 344f7c8 into containerd:release/1.7 Jan 21, 2026
119 of 123 checks passed
@github-project-automation github-project-automation Bot moved this from Review In Progress to Done in Pull Request Review Jan 21, 2026
@samuelkarp samuelkarp mentioned this pull request Apr 13, 2026
Merged
@campaigner-prod campaigner-prod Bot mentioned this pull request Apr 23, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@samuelkarp samuelkarp samuelkarp approved these changes

@chrishenzie chrishenzie chrishenzie approved these changes

@fuweid fuweid fuweid approved these changes

Assignees

No one assigned

Labels

area/cri Container Runtime Interface (CRI) impact/changelog kind/bug size/M

Projects

Pull Request Review
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@AkihiroSuda @samuelkarp @chrishenzie @fuweid @k8s-ci-robot