Skip to content

KEP 5933: Add x-kubernetes-sensitive-data marker for CRD fields#5937

Open
trofimovdals wants to merge 1 commit intokubernetes:masterfrom
trofimovdals:KEP-5933-crd-sensitive-data
Open

KEP 5933: Add x-kubernetes-sensitive-data marker for CRD fields#5937
trofimovdals wants to merge 1 commit intokubernetes:masterfrom
trofimovdals:KEP-5933-crd-sensitive-data

Conversation

@trofimovdals
Copy link

@trofimovdals trofimovdals commented Feb 25, 2026

Introduces x-kubernetes-sensitive-data vendor extension that enables field stripping on get/list/watch for unauthorized callers and unconditional masking of sensitive values in audit log entries.

  • One-line PR description: Add support for marking CRD fields as sensitive with RBAC-gated access, and audit log masking

@trofimovdals
KEP:5933-crd-sensitive-data
90c2967 
Signed-off-by: dmitry.trofimov <[email protected]>
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 25, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 25, 2026

Hi @trofimovdals. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 25, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: trofimovdals
Once this PR has been reviewed and has the lgtm label, please assign fedebongio for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory label Feb 25, 2026
@k8s-ci-robot k8s-ci-robot requested a review from sttts February 25, 2026 09:52
@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 25, 2026
@trofimovdals trofimovdals mentioned this pull request Feb 25, 2026
Open
4 tasks
lmktfy
lmktfy reviewed Mar 17, 2026
View reviewed changes
keps/sig-api-machinery/5933-crd-sensitive-data/kep.yaml
- "@sprait"
owning-sig: sig-api-machinery
participating-sigs:
- sig-auth
Copy link
Member

@lmktfy lmktfy Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SIG Security too?

lmktfy
lmktfy reviewed Mar 17, 2026
View reviewed changes
keps/sig-api-machinery/5933-crd-sensitive-data/README.md
- PATCH request audit masking is technically challenging, requiring JSON path analysis of patch bodies.

## Alternatives

Copy link
Member

@lmktfy lmktfy Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should note that people could use a Secret instead (even if we rule out that alternative); it is a broadly viable option here.

lmktfy
lmktfy reviewed Mar 17, 2026
View reviewed changes
keps/sig-api-machinery/5933-crd-sensitive-data/README.md
- Returned **in full** to every authenticated caller that can `get` the resource, even if the caller only needs non-sensitive fields.
- Logged **in cleartext** in audit log entries, creating a compliance risk.

There is no first-class Kubernetes primitive that lets a CRD author say "this field is sensitive — treat it accordingly".
Copy link
Member

@lmktfy lmktfy Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's true, and I note the non goals, but having a built in API with these properties would also be really convenient.

lmktfy
lmktfy reviewed Mar 17, 2026
View reviewed changes
keps/sig-api-machinery/5933-crd-sensitive-data/README.md
- PATCH masking in audit is more complex than GET/PUT masking because the patch body must be parsed and individual values replaced by path.

### Risks and Mitigations

Copy link
Member

@lmktfy lmktfy Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I get an object and write it back with a PUT, do I lose data? How's that risk managed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@apelisse apelisse Awaiting requested review from apelisse

@sttts sttts Awaiting requested review from sttts

1 more reviewer

@lmktfy lmktfy lmktfy left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@trofimovdals @k8s-ci-robot @lmktfy