diff --git a/keps/sig-security/1753-logs-sanitization/README.md b/keps/sig-instrumentation/1753-logs-sanitization/README.md similarity index 94% rename from keps/sig-security/1753-logs-sanitization/README.md rename to keps/sig-instrumentation/1753-logs-sanitization/README.md index 7e8ab6ba207..9039352eab0 100644 --- a/keps/sig-security/1753-logs-sanitization/README.md +++ b/keps/sig-instrumentation/1753-logs-sanitization/README.md @@ -7,6 +7,7 @@ - [Goals](#goals) - [Non-Goals](#non-goals) - [Proposal](#proposal) + - [Deprecation](#deprecation) - [Risks and Mitigations](#risks-and-mitigations) - [Performance overhead](#performance-overhead) - [Design Details](#design-details) @@ -105,6 +106,16 @@ We also propose to implement a small library which could use the above informati Finally we propose to integrate this library with the klog logging library used by Kubernetes in a way that when enabled the log entries which contain information marked as sensitive will be redacted from the logs. +### Deprecation + +Dynamic log sanitization was added as an experimental alpha feature under SIG Instrumentation in the 1.20 release. When it was introduced, the SIG had some reservations about the feature and its performance, but concluded that an alpha POC would be low risk. We encouraged exploring alternatives, and that eventually resulted in the implementation of static analysis as part of our presubmit CI to ensure secrets are not being logged. This alternative implementation has graduated to stable in the 1.23 cycle. + +During SIG Instrumentation's Dec. 9 meeting, we discussed the support burden of this feature and the issues this may cause in blocking other new logging improvements. Hence, we would like to deprecate the feature in the 1.24 cycle. Since this is an alpha feature, this means it will be entirely removed. + +Note that [data policy tags](#source-code-tags) will not be deprecated or removed, as they are currently in use by [KEP-1933] and may be used by other automated tools in the future. + +[KEP-1933]: /keps/sig-security/1933-secret-logging-static-analysis/README.md + ### Risks and Mitigations #### Performance overhead @@ -231,6 +242,7 @@ To address them we propose: * 2020-05-08 - Original Proposal * 2020-08-07 - Merged as provisional +* 2021-12-23 - Marked for deprecation ## Drawbacks diff --git a/keps/sig-security/1753-logs-sanitization/kep.yaml b/keps/sig-instrumentation/1753-logs-sanitization/kep.yaml similarity index 59% rename from keps/sig-security/1753-logs-sanitization/kep.yaml rename to keps/sig-instrumentation/1753-logs-sanitization/kep.yaml index 3f7134bcc47..46ed4020ca1 100644 --- a/keps/sig-security/1753-logs-sanitization/kep.yaml +++ b/keps/sig-instrumentation/1753-logs-sanitization/kep.yaml @@ -4,14 +4,17 @@ authors: - "@44past4" - "@immutableT" - "@PurelyApplied" -owning-sig: sig-security +owning-sig: sig-instrumentation participating-sigs: - - sig-instrumentation -status: implementable + - sig-security +status: implemented (alpha) creation-date: 2020-05-07 -last-updated: 2020-10-14 -stage: alpha -latest-milestone: "1.19" +stage: alpha (deprecated) +latest-milestone: "1.24" +milestone: + alpha: "v1.19" + deprecated: "v1.24" + removed: "v1.24" reviewers: - "@ehashman" approvers: