implement redaction filters #2243
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
willfindlay
added
area/userspace
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
willfindlay
added
the
release-note/major
willfindlay
force-pushed
the
pr/willfindlay/redaction-filters
branch
from
319340d
to
28d0254
Compare
willfindlay
force-pushed
the
pr/willfindlay/redaction-filters
branch
from
05b0c6d
to
1721427
Compare
|
marking as draft while I fix an oversight with empty redaction filters |
willfindlay
force-pushed
the
pr/willfindlay/redaction-filters
branch
5 times, most recently
from
c7d0e91
to
2df1703
Compare
willfindlay
force-pushed
the
pr/willfindlay/redaction-filters
branch
from
2df1703
to
797d729
Compare
Implement a new field filter type, the refaction filter. Redaction filters use regular
expressions to suppress sensitive information in string fields in Tetragon events. When
a regular expression in a redcation filter matches a string, everything inside of its
capture groups is replaced with `*****`, effectively censoring the output. For example,
the regular expression `(?:--password|-p)(?:\s+|=)(\S*)` will convert the string
"--password=foo" into "--password=*****".
In some cases, it is not desirable to apply a redaction filter to all events. For this use
case, redaction filters also include an event filter which can be used to select events to
redact. This event filter is configured with the same syntax as an export filter. As
a more concrete example:
{"match": {"binary_regex": ["^foo$"]}, "redact": ["\W(qux)\W"]}
The above filter would redact any occurrences of the word "qux" in events with the binary
name "foo".
Due to the sensitive nature of redaction, these filters are applied as configured in the
agent, regardless of whether an event is exported via gRPC or the JSON exporter. In other
words, redaction filter configuration always happens at the agent config level, not in the
gRPC client CLI.
Signed-off-by: William Findlay <[email protected]>
willfindlay
force-pushed
the
pr/willfindlay/redaction-filters
branch
from
797d729
to
5f748fe
Compare
jrfastab
approved these changes
Mar 28, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implement a new field filter type, the redaction filter. Redaction filters use regular expressions to suppress sensitive information in string fields in Tetragon events. When a regular expression in a redaction filter matches a string, everything inside of its capture groups is replaced with
*****, effectively censoring the output. For example, the regular expression(?:--password|-p)(?:\s+|=)(\S*)will convert the string "--password=foo" into "--password=*****".In some cases, it is not desirable to apply a redaction filter to all events. For this use case, redaction filters also include an event filter which can be used to select events to redact. This event filter is configured with the same syntax as an export filter. As a more concrete example:
The above filter would redact any occurrences of the word "qux" in events with the binary name "foo".
Due to the sensitive nature of redaction, these filters are applied as configured in the
agent, regardless of whether an event is exported via gRPC or the JSON exporter. In other
words, redaction filter configuration always happens at the agent config level, not in the
gRPC client CLI.
Fixes: #2241