How to enforce data redaction by configuration ๐Ÿ”ง

In some cases, you may want to redact sensitive data from the Komodor platform. You can do so by applying the values shown below.

Values:

  • events.redact - Redact values from specific fields in resources
  • logs.redact - Redact values from logs
  • logs.NamespaceDenylist - Do not collect logs from specific namespaces
  • logs.NamespaceAllowlist - Only collect logs from specific namespaces
  • logs.NameDenylist - Do not collect logs from specific workloads

For example, to redact the password field from all resources, apply the following YAML configuration:

events:
  redact:
    - "PG_.*"
    - ".*PASSWORD.*"

To avoid collecting logs from the kube-system namespace, apply the following YAML configuration:

logs:
  namespaceDenylist: ["kube-system"]

To allow only collecting logs from the default and dev namespaces, apply the following YAML configuration:

logs:
  namespaceAllowlist: ["default", "dev"]

To mask passwords in logs, apply the following YAML configuration:

logs:
  redact:
    - "password=(.+?)\b"
    - "(?U)\"sessionId\": (\".+\"{1})"

example logs redactions:

INPUT: example my password=supersecret and something else
OUTPUT: example my <REDACTED> and something else

INPUT: { "level": "INFO", "message": "User has added Item 12453 to Basket", "sessionId": "SESS456", "timestamp": 1634477804 }
OUTPUT: { "level": "INFO", "message": "User has added Item 12453 to Basket", <REDAC

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.