Documentation ¶
Overview ¶
Package anonymization provides Anonymizer which is used to anonymize sensitive data. At the moment, anonymization is applied to all the data before storing it in the archive(see AnonymizeMemoryRecordFunction). If you want to enable the anonymization you need to set "enableGlobalObfuscation" to "true" in config or "support" secret in "openshift-config" namespace, the anonymizer object then will be created and used (see pkg/controller/operator.go and pkg/controller/gather_job.go). When enabled, the following data will be anonymized:
- cluster base domain. For example, if the cluster base domain is `openshift.example.com`, all the occurrences of this keyword will be replaced with `<CLUSTER_BASE_DOMAIN>`, `cluster-api.openshift.example.com` will become `cluster-api.<CLUSTER_BASE_DOMAIN>`
- IPv4 addresses. Using a config client, it retrieves cluster networks and uses them to anonymize IP addresses preserving subnet information. For example, if you have the following networks in your cluster: "10.128.0.0/14", "172.30.0.0/16", "127.0.0.0/8"(added by default) the anonymization will handle the IPs like this:
- 10.128.0.0 -> 10.128.0.0 // subnetwork itself won't be anonymized
- 10.128.0.55 -> 10.128.0.1
- 10.128.0.56 -> 10.128.0.2
- 10.128.0.55 -> 10.128.0.1 // anonymizer maintains a translation table to replace the same original IPs with the same obfuscated IPs
- 10.129.0.0 -> 10.128.0.3
- 172.30.0.5 -> 172.30.0.1 // new subnet, so we use a new set of fake IPs
- 127.0.0.1 -> 127.0.0.1 // it was the first IP, so the new IP matched the original in this case
- 10.0.134.130 -> 0.0.0.0 // ip doesn't match any subnet, we replace such IPs with 0.0.0.0
Index ¶
- Constants
- Variables
- func GetNetworksForAnonymizerFromRecords(records map[string]*record.MemoryRecord) ([]string, error)
- type AnonBuilder
- func (b *AnonBuilder) Build() (*Anonymizer, error)
- func (b *AnonBuilder) WithConfigClient(configClient v1.ConfigV1Interface) *AnonBuilder
- func (b *AnonBuilder) WithConfigurator(configurator configobserver.Interface) *AnonBuilder
- func (b *AnonBuilder) WithDataPolicy(dataPolicy v1alpha1.DataPolicy) *AnonBuilder
- func (b *AnonBuilder) WithKubeClient(kubeClient kubernetes.Interface) *AnonBuilder
- func (b *AnonBuilder) WithNetworkClient(networkClient networkv1client.NetworkV1Interface) *AnonBuilder
- func (b *AnonBuilder) WithNetworks(networks []string) *AnonBuilder
- func (b *AnonBuilder) WithRunningInCluster(runningInCluster bool) *AnonBuilder
- func (b *AnonBuilder) WithSecretsClient(client corev1client.SecretInterface) *AnonBuilder
- func (b *AnonBuilder) WithSensitiveValue(value, placeholder string) *AnonBuilder
- type Anonymizer
- func (anonymizer *Anonymizer) AnonymizeMemoryRecord(memoryRecord *record.MemoryRecord) *record.MemoryRecord
- func (anonymizer *Anonymizer) IsObfuscationEnabled() bool
- func (anonymizer *Anonymizer) ObfuscateIP(ipStr string) string
- func (anonymizer *Anonymizer) ResetTranslationTable()
- func (anonymizer *Anonymizer) StoreTranslationTable() *corev1.Secret
- type ConfigProvider
Constants ¶
const ( Ipv4Regex = `((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)` Ipv4NetworkRegex = Ipv4Regex + "/([0-9]{1,2})" Ipv4AddressOrNetworkRegex = Ipv4Regex + "(/([0-9]{1,2}))?" ClusterBaseDomainPlaceholder = "<CLUSTER_BASE_DOMAIN>" ClusterHostPlaceholder = "<CLUSTER_DOMAIN_HOST>" UnableToCreateAnonymizerErrorMessage = "Unable to create anonymizer, " + "some data won't be anonymized(ipv4 and cluster base domain). The error is %v" )
norevive
Variables ¶
var ( // TranslationTableSecretName defines the secret name to store the translation table TranslationTableSecretName = "obfuscation-translation-table" //nolint: gosec )
Functions ¶
func GetNetworksForAnonymizerFromRecords ¶
func GetNetworksForAnonymizerFromRecords(records map[string]*record.MemoryRecord) ([]string, error)
Types ¶
type AnonBuilder ¶
type AnonBuilder struct {
// contains filtered or unexported fields
}
func (*AnonBuilder) Build ¶
func (b *AnonBuilder) Build() (*Anonymizer, error)
func (*AnonBuilder) WithConfigClient ¶
func (b *AnonBuilder) WithConfigClient(configClient v1.ConfigV1Interface) *AnonBuilder
func (*AnonBuilder) WithConfigurator ¶
func (b *AnonBuilder) WithConfigurator(configurator configobserver.Interface) *AnonBuilder
func (*AnonBuilder) WithDataPolicy ¶
func (b *AnonBuilder) WithDataPolicy(dataPolicy v1alpha1.DataPolicy) *AnonBuilder
func (*AnonBuilder) WithKubeClient ¶
func (b *AnonBuilder) WithKubeClient(kubeClient kubernetes.Interface) *AnonBuilder
func (*AnonBuilder) WithNetworkClient ¶
func (b *AnonBuilder) WithNetworkClient(networkClient networkv1client.NetworkV1Interface) *AnonBuilder
func (*AnonBuilder) WithNetworks ¶
func (b *AnonBuilder) WithNetworks(networks []string) *AnonBuilder
func (*AnonBuilder) WithRunningInCluster ¶
func (b *AnonBuilder) WithRunningInCluster(runningInCluster bool) *AnonBuilder
func (*AnonBuilder) WithSecretsClient ¶
func (b *AnonBuilder) WithSecretsClient(client corev1client.SecretInterface) *AnonBuilder
func (*AnonBuilder) WithSensitiveValue ¶
func (b *AnonBuilder) WithSensitiveValue(value, placeholder string) *AnonBuilder
WithSensitiveValue adds terms that are obfuscated by the anonymizer in the records. It works as a key-value map, where all instances of 'value' are replaced by 'placeholder'.
type Anonymizer ¶
type Anonymizer struct {
// contains filtered or unexported fields
}
Anonymizer is used to anonymize sensitive data. Config can be used to enable anonymization of cluster base domain and obfuscation of IPv4 addresses
func NewAnonymizerFromConfig ¶
func NewAnonymizerFromConfig( ctx context.Context, gatherKubeConfig *rest.Config, gatherProtoKubeConfig *rest.Config, protoKubeConfig *rest.Config, configurator configobserver.Interface, dataPolicy v1alpha1.DataPolicy, ) (*Anonymizer, error)
NewAnonymizerFromConfig creates a new instance of anonymizer with a provided kubeconfig
func NewAnonymizerFromConfigClient ¶
func NewAnonymizerFromConfigClient( ctx context.Context, kubeClient kubernetes.Interface, gatherKubeClient kubernetes.Interface, configClient configv1client.ConfigV1Interface, networkClient networkv1client.NetworkV1Interface, configurator configobserver.Interface, dataPolicy v1alpha1.DataPolicy, sensitiveVals map[string]string, ) (*Anonymizer, error)
NewAnonymizerFromConfigClient creates a new instance of anonymizer with a provided openshift config client
func (*Anonymizer) AnonymizeMemoryRecord ¶
func (anonymizer *Anonymizer) AnonymizeMemoryRecord(memoryRecord *record.MemoryRecord) *record.MemoryRecord
AnonymizeMemoryRecord takes record.MemoryRecord, removes the sensitive data from it and returns the same object
func (*Anonymizer) IsObfuscationEnabled ¶
func (anonymizer *Anonymizer) IsObfuscationEnabled() bool
IsObfuscationEnabled returns true if obfuscation(hiding IP and domain names) is enabled and false otherwise
func (*Anonymizer) ObfuscateIP ¶
func (anonymizer *Anonymizer) ObfuscateIP(ipStr string) string
ObfuscateIP takes an IP as a string and returns obfuscated version. If it exists in the translation table, we just take it from there, if it doesn't, we create an obfuscated version of this IP and record it to the translation table
func (*Anonymizer) ResetTranslationTable ¶
func (anonymizer *Anonymizer) ResetTranslationTable()
ResetTranslationTable resets the translation table, so that the translation table of multiple gathers won't mix together.
func (*Anonymizer) StoreTranslationTable ¶
func (anonymizer *Anonymizer) StoreTranslationTable() *corev1.Secret
StoreTranslationTable stores the translation table in a Secret in the openshift-insights namespace. The actual data is stored in the StringData portion of the Secret.
type ConfigProvider ¶
type ConfigProvider interface {
Config() *config.Controller
}