Jenkins Printing Kubernetes Plugin Authorization Bearer Token in Logs

10/31/2019

As the title suggests, I can view Kubernetes bearer tokens in the Jenkins logs (/logs/all endpoints). Isn't this a security concern? Is there a way to stop it without having to meddle with the Kubernetes plugin source code?

Edit:

Example log:

Aug 29, 2020 7:39:41 PM okhttp3.internal.platform.Platform log
INFO: Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3Nlcn
-- user5056973
jenkins
kubernetes
logging
token

1 Answer

10/31/2019

See the documentation for okhttp

Warning: The logs generated by this interceptor when using the HEADERS or BODY levels have the potential to leak sensitive information such as "Authorization" or "Cookie" headers and the contents of request and response bodies. This data should only be logged in a controlled way or in a non-production environment.

So you should probably not activate that logging in an environment where you have sensitive tokens.

-- Jonas
Source: StackOverflow