anonymization

package

v0.0.0-...-5e2dd6f Latest Latest Go to latest Published: Sep 27, 2024 License: Apache-2.0 Imports: 25 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/openshift/insights-operator

Links

Open Source Insights

Documentation ¶

Overview ¶

Package anonymization provides Anonymizer which is used to anonymize sensitive data. At the moment, anonymization is applied to all the data before storing it in the archive(see AnonymizeMemoryRecordFunction). If you want to enable the anonymization you need to set "enableGlobalObfuscation" to "true" in config or "support" secret in "openshift-config" namespace, the anonymizer object then will be created and used (see pkg/controller/operator.go and pkg/controller/gather_job.go). When enabled, the following data will be anonymized:

cluster base domain. For example, if the cluster base domain is `openshift.example.com`, all the occurrences of this keyword will be replaced with `<CLUSTER_BASE_DOMAIN>`, `cluster-api.openshift.example.com` will become `cluster-api.<CLUSTER_BASE_DOMAIN>`
IPv4 addresses. Using a config client, it retrieves cluster networks and uses them to anonymize IP addresses preserving subnet information. For example, if you have the following networks in your cluster: "10.128.0.0/14", "172.30.0.0/16", "127.0.0.0/8"(added by default) the anonymization will handle the IPs like this:
10.128.0.0 -> 10.128.0.0 // subnetwork itself won't be anonymized
10.128.0.55 -> 10.128.0.1
10.128.0.56 -> 10.128.0.2
10.128.0.55 -> 10.128.0.1 // anonymizer maintains a translation table to replace the same original IPs with the same obfuscated IPs
10.129.0.0 -> 10.128.0.3
172.30.0.5 -> 172.30.0.1 // new subnet, so we use a new set of fake IPs
127.0.0.1 -> 127.0.0.1 // it was the first IP, so the new IP matched the original in this case
10.0.134.130 -> 0.0.0.0 // ip doesn't match any subnet, we replace such IPs with 0.0.0.0

Index ¶

Constants
Variables
func GetNetworksForAnonymizerFromRecords(records map[string]*record.MemoryRecord) ([]string, error)
type AnonBuilder
type Anonymizer
- func NewAnonymizerFromConfig(ctx context.Context, gatherKubeConfig *rest.Config, ...) (*Anonymizer, error)
- func NewAnonymizerFromConfigClient(ctx context.Context, kubeClient kubernetes.Interface, ...) (*Anonymizer, error)
type ConfigProvider

Constants ¶

View Source

const (
	Ipv4Regex                            = `((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)`
	Ipv4NetworkRegex                     = Ipv4Regex + "/([0-9]{1,2})"
	Ipv4AddressOrNetworkRegex            = Ipv4Regex + "(/([0-9]{1,2}))?"
	ClusterBaseDomainPlaceholder         = "<CLUSTER_BASE_DOMAIN>"
	ClusterHostPlaceholder               = "<CLUSTER_DOMAIN_HOST>"
	UnableToCreateAnonymizerErrorMessage = "Unable to create anonymizer, " +
		"some data won't be anonymized(ipv4 and cluster base domain). The error is %v"
)

norevive

Variables ¶

View Source

var (
	// TranslationTableSecretName defines the secret name to store the translation table
	TranslationTableSecretName = "obfuscation-translation-table" //nolint: gosec

)

Functions ¶

func GetNetworksForAnonymizerFromRecords ¶

func GetNetworksForAnonymizerFromRecords(records map[string]*record.MemoryRecord) ([]string, error)

Types ¶

type AnonBuilder ¶

type AnonBuilder struct {
	// contains filtered or unexported fields
}

func (*AnonBuilder) Build ¶

func (b *AnonBuilder) Build() (*Anonymizer, error)

func (*AnonBuilder) WithConfigClient ¶

func (b *AnonBuilder) WithConfigClient(configClient v1.ConfigV1Interface) *AnonBuilder

func (*AnonBuilder) WithConfigurator ¶

func (b *AnonBuilder) WithConfigurator(configurator configobserver.Interface) *AnonBuilder

func (*AnonBuilder) WithDataPolicy ¶

func (b *AnonBuilder) WithDataPolicy(dataPolicy v1alpha1.DataPolicy) *AnonBuilder

func (*AnonBuilder) WithKubeClient ¶

func (b *AnonBuilder) WithKubeClient(kubeClient kubernetes.Interface) *AnonBuilder

func (*AnonBuilder) WithNetworkClient ¶

func (b *AnonBuilder) WithNetworkClient(networkClient networkv1client.NetworkV1Interface) *AnonBuilder

func (*AnonBuilder) WithNetworks ¶

func (b *AnonBuilder) WithNetworks(networks []string) *AnonBuilder

func (*AnonBuilder) WithRunningInCluster ¶

func (b *AnonBuilder) WithRunningInCluster(runningInCluster bool) *AnonBuilder

func (*AnonBuilder) WithSecretsClient ¶

func (b *AnonBuilder) WithSecretsClient(client corev1client.SecretInterface) *AnonBuilder

func (*AnonBuilder) WithSensitiveValue ¶

func (b *AnonBuilder) WithSensitiveValue(value, placeholder string) *AnonBuilder

WithSensitiveValue adds terms that are obfuscated by the anonymizer in the records. It works as a key-value map, where all instances of 'value' are replaced by 'placeholder'.

type Anonymizer ¶

type Anonymizer struct {
	// contains filtered or unexported fields
}

Anonymizer is used to anonymize sensitive data. Config can be used to enable anonymization of cluster base domain and obfuscation of IPv4 addresses

func NewAnonymizerFromConfig ¶

func NewAnonymizerFromConfig(
	ctx context.Context,
	gatherKubeConfig *rest.Config,
	gatherProtoKubeConfig *rest.Config,
	protoKubeConfig *rest.Config,
	configurator configobserver.Interface,
	dataPolicy v1alpha1.DataPolicy,
) (*Anonymizer, error)

NewAnonymizerFromConfig creates a new instance of anonymizer with a provided kubeconfig

func NewAnonymizerFromConfigClient ¶

func NewAnonymizerFromConfigClient(
	ctx context.Context,
	kubeClient kubernetes.Interface,
	gatherKubeClient kubernetes.Interface,
	configClient configv1client.ConfigV1Interface,
	networkClient networkv1client.NetworkV1Interface,
	configurator configobserver.Interface,
	dataPolicy v1alpha1.DataPolicy,
	sensitiveVals map[string]string,
) (*Anonymizer, error)

NewAnonymizerFromConfigClient creates a new instance of anonymizer with a provided openshift config client

func (*Anonymizer) AnonymizeMemoryRecord ¶

func (anonymizer *Anonymizer) AnonymizeMemoryRecord(memoryRecord *record.MemoryRecord) *record.MemoryRecord

AnonymizeMemoryRecord takes record.MemoryRecord, removes the sensitive data from it and returns the same object

func (*Anonymizer) IsObfuscationEnabled ¶

func (anonymizer *Anonymizer) IsObfuscationEnabled() bool

IsObfuscationEnabled returns true if obfuscation(hiding IP and domain names) is enabled and false otherwise

func (*Anonymizer) ObfuscateIP ¶

func (anonymizer *Anonymizer) ObfuscateIP(ipStr string) string

ObfuscateIP takes an IP as a string and returns obfuscated version. If it exists in the translation table, we just take it from there, if it doesn't, we create an obfuscated version of this IP and record it to the translation table

func (*Anonymizer) ResetTranslationTable ¶

func (anonymizer *Anonymizer) ResetTranslationTable()

ResetTranslationTable resets the translation table, so that the translation table of multiple gathers won't mix together.

func (*Anonymizer) StoreTranslationTable ¶

func (anonymizer *Anonymizer) StoreTranslationTable() *corev1.Secret

StoreTranslationTable stores the translation table in a Secret in the openshift-insights namespace. The actual data is stored in the StringData portion of the Secret.

type ConfigProvider ¶

type ConfigProvider interface {
	Config() *config.Controller
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL