I am passing sensitive variables to a Kubernetes Custom YAML script to create secrets, following this blog post.
The values are filtered with | Base64 as required for Secret resource values.
The Base64 encoded values are not masked out in the logs when displaying the Kubernetes resource being applied.
Base64 is just a different encoding so the sensitive value is essentially written in plain text to the logs.
I also tested by writing the raw (non-Base64 encoded) sensitive value to the Secret resource and the unfiltered value was masked in the logs as expected.
Looks like using stringData with the raw value for the Secret instead of data with Base64 encoded values has the intended behavior: the sensitive values are masked from the logs.
While this addresses the specific reported scenario, it may not be a general solution for filtered sensitive variables where a specific encoding is required and the variable filtering can’t be worked around.
Thanks for bringing this to our attention and I am glad to see you’ve found a workaround.
I am going to bring this up with our engineering team to get their thoughts on masking sensitive variables in the situation where Base64 encoding is required.
Please let me know if you have any more questions.