Operator calls redis-cli with command-line passwords and logs them #1513
Description
The operator provides the redis password to redis-cli via command-line arguments, which is insecure and can be logged by tools like auditd, CrowdStrike, Falco, or SentinelOne. Worse, these arguments are included in log output if the command fails.
#952 and its follow-up discussion #992 were opened for another error that led to passwords being logged, but those issues were closed as soon as the original error was fixed. Passwords are still used on the command line.
What version of redis operator are you using? 0.21.0
Logs:
{
"level": "error",
"ts": "2025-09-02T15:04:33Z",
"msg": "Could not execute command",
"controller": "rediscluster",
"controllerGroup": "redis.redis.opstreelabs.in",
"controllerKind": "RedisCluster",
"RedisCluster": {
"name": "redis-c-t",
"namespace": "redis-cluster-testing"
},
"namespace": "redis-cluster-testing",
"name": "redis-c-t",
"reconcileID": "75c0d188-a5d4-4a88-a6e0-98f1bbb76e88",
"Command": [
"redis-cli",
"--cluster",
"create",
"redis-c-t-leader-0.redis-c-t-leader-headless.redis-cluster-testing.svc:6379",
"redis-c-t-leader-1.redis-c-t-leader-headless.redis-cluster-testing.svc:6379",
"redis-c-t-leader-2.redis-c-t-leader-headless.redis-cluster-testing.svc:6379",
"--cluster-yes",
"-a",
"<redacted>",
"--tls",
"--cacert",
"/tls/ca.crt",
"-h",
"redis-c-t-leader-0"
],
"Output": "[ERR] Node redis-c-t-leader-0.redis-c-t-leader-headless.redis-cluster-testing.svc:6379 is not empty. Either the node already knows other nodes (check with CLUSTER NODES) or contains some key in database 0.\n",
"error": "execute command with error: command terminated with exit code 1, stderr: Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.\n",
"stacktrace": "github.com/OT-CONTAINER-KIT/redis-operator/internal/k8sutils.executeCommand\n\t/workspace/internal/k8sutils/redis.go:466\ngithub.com/OT-CONTAINER-KIT/redis-operator/internal/k8sutils.ExecuteRedisClusterCommand\n\t/workspace/internal/k8sutils/redis.go:183\ngithub.com/OT-CONTAINER-KIT/redis-operator/internal/controller/rediscluster.(*Reconciler).Reconcile\n\t/workspace/internal/controller/rediscluster/rediscluster_controller.go:197\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"
}redis-operator version: 0.21.0
Does this issue reproduce with the latest release?
I haven't checked on 0.22.0, but the code still appends a command-line password here. It also looks like the logging code (three lines below that) has not changed.
What operating system and processor architecture are you using (kubectl version)?
kubectl version Output
$ kubectl version Client Version: v1.30.14 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.31.7
What did you do?
I created a new cluster and then ran into various problems with TLS or IP addresses. When the cluster creation commands failed, they logged these errors and included passwords.
What did you expect to see?
No passwords in the logs.
What did you see instead?
Passwords in the logs.