Sensitive data redaction in Komodor’s k8s-watcher¶
What is it¶
It’s likely that there are values you don’t want to send to Komodor as plain text. Kubernetes Secrets, for instance, ConfigMap sensitive values, container environment variables or pod logs. When configured - we will redact the specific value. That way Komodor won't see any sensitive data while you will still see configuration diff.
How to integrate¶
Inside komodor-k8s-watcher.yaml
you should add a list of string or regular expressions under redact
and redactLogs
key as such:
komodor-k8s-watcher
watchNamespace: all
namespacesBlacklist:
- kube-system
redact:
- "PG_.*"
- ".*PASSWORD.*"
redactLogs:
- "password=(.+?)\b"
- "(?U)\"sessionId\": (\".+\"{1})"
nameBlacklist: ["leader", "election"]
collectHistory: false
How to integrate using helm upgrade command¶
helm upgrade --install k8s-watcher komodorio/k8s-watcher --set watcher.redact="{.*PASSWORD.*,.*password.*,.*KEY.*,.*key.*,.*SECRET.*,.*secret.*}" --set watcher.redactLogs="{password=(.+?)\b,(?U)\"sessionId\": (\".+\"{1})}" --set apiKey=<API-KEY> --set watcher.clusterName=<cluster-name> --set watcher.enableAgentTaskExecution=true --set watcher.allowReadingPodLogs=true
How to integrate using environment variables¶
Separate multiple values with a whitespace in the environment variable value.
To include a whitespace in the patterns to redact, make sure to use \s
as it the patterns are regexp.
export KOMOKW_REDACT=".*password.* PG_.*"
export KOMOKW_REDACT_LOGS="password=(.+?)\b (?U)\"sessionId\": (\".+\"{1})"
Secret Resource¶
By default, Komodor’s agent is hashing all secrets values.
ConfigMap resource¶
You can preconfigure a list of keys for Kubernetes watcher to also redact specific values from ConfigMap.
komodor-k8s-watcher.yaml:
redact:
- "SENTRY_API_KEY"
- "PG_.*"
configmap.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
Name: sensitive-config-map
data:
SENTRY_API_KEY: super_secret
PG_SECRET: super_secret
PG_USERNAME: super_secret
All the above “super_secret” will be sent has hashed value.
Deployment resource¶
Komodor’s agent will hash template.spec.template.[containeres|initContainers].env
list of variables inside Deployment objects for pre-configured list of keys or list of regular expressions.
komodor-k8s-watcher.yaml:
redact:
- "SENTRY_API_KEY"
- "PG_.*"
deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: sensitive-deployment
spec:
selector:
matchLabels:
run: example
replicas: 1
template:
metadata:
labels:
run: example
spec:
containers:
- name: hello-world
image: gcr.io/google-samples/node-hello:1.0
env:
- name: PG_USERNAME
value: super_secret
- name: SECRET
value: this_will_show_up
In the above deployment example we will not send the secret values for PG_USERNAME.
SECRET will show up as is due to the fact it won’t match any string or regex in our configuration.
Pod Logs¶
Note: Pod Logs redaction is available starting from Komodor Agent version 0.1.126
Komodor's agent will redact any logs matching one of the patterns set in the redactLogs
configuration.
komodor-k8s-watcher.yaml:
redactLogs:
- "password=(.+?)\b"
- "(?U)\"sessionId\": (\".+\"{1})"
Environment variables:
export KOMOKW_REDACT_LOGS="password=(.+?)\b (?U)\"sessionId\": (\".+\"{1})"
Example logs:
INPUT: example my password=supersecret and something else
OUTPUT: example my <REDACTED> and something else
INPUT: { "level": "INFO", "message": "User has added Item 12453 to Basket", "sessionId": "SESS456", "timestamp": 1634477804 }
OUTPUT: { "level": "INFO", "message": "User has added Item 12453 to Basket", <REDACTED>, "timestamp": 1634477804 }
Testing logs redaction patterns¶
You can easily test the patterns you want to configure before deploying by using our docker image and our utilities command.
❯ docker run --rm -e KOMOKW_REDACT_LOGS="redaction" komodorio/k8s-watcher test -logredactor -inputlog="The log line you want to test redaction here"
Patterns to redact: [redaction]
Input log (before redaction):
The log line you want to test redaction here
Output log (after redaction):
The log line you want to test <REDACTED> here