Skip to content

[release/2.2] Harden error handling to strip potentially-sensitive registry parameters#12804

Merged
samuelkarp merged 1 commit intocontainerd:release/2.2from
k8s-infra-cherrypick-robot:cherry-pick-12801-to-release/2.2
Jan 21, 2026
Merged

[release/2.2] Harden error handling to strip potentially-sensitive registry parameters#12804
samuelkarp merged 1 commit intocontainerd:release/2.2from
k8s-infra-cherrypick-robot:cherry-pick-12801-to-release/2.2

Conversation

@k8s-infra-cherrypick-robot
Copy link

@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot commented Jan 21, 2026

This is an automated cherry-pick of #12801

/assign AkihiroSuda

@aadhar-agarwal
fix: sanitize error before gRPC return to prevent credential leak in …
cb3ae21 
…pod events

PR containerd#12491 fixed credential leaks in containerd logs but the gRPC error
returned to kubelet still contained sensitive information. This was
visible in Kubernetes pod events via `kubectl describe pod`.

The issue was that SanitizeError was called inside the defer block,
but errgrpc.ToGRPC(err) was evaluated before the defer ran, so the
gRPC message contained the original unsanitized error.

Move SanitizeError before the return statement so both the logged
error and the gRPC error are sanitized.

Ref: containerd#5453
Signed-off-by: Aadhar Agarwal <[email protected]>
@github-project-automation github-project-automation bot moved this to Needs Triage in Pull Request Review Jan 21, 2026
@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request Jan 21, 2026
Merged
@dosubot dosubot bot added area/cri Container Runtime Interface (CRI) kind/bug labels Jan 21, 2026
@github-project-automation github-project-automation bot moved this from Needs Triage to Review In Progress in Pull Request Review Jan 21, 2026
@samuelkarp samuelkarp merged commit e7a0ac9 into containerd:release/2.2 Jan 21, 2026
90 of 92 checks passed
@github-project-automation github-project-automation bot moved this from Review In Progress to Done in Pull Request Review Jan 21, 2026
@samuelkarp samuelkarp changed the title [release/2.2] fix: sanitize error before gRPC return to prevent credential leak in pod events [release/2.2] Harden error handling to strip potentially-sensitive registry parameters Mar 9, 2026
@samuelkarp samuelkarp mentioned this pull request Mar 9, 2026
Merged
@BrewTestBot BrewTestBot mentioned this pull request Mar 10, 2026
Merged
@github-actions github-actions bot mentioned this pull request Mar 24, 2026
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@samuelkarp samuelkarp samuelkarp approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

@AkihiroSuda AkihiroSuda

Labels

area/cri Container Runtime Interface (CRI) impact/changelog kind/bug size/S

Projects

Pull Request Review
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@k8s-infra-cherrypick-robot @samuelkarp @AkihiroSuda @k8s-ci-robot @aadhar-agarwal