annot-exclusion: use concrete examples such as employee ID and Kapp

I've also reduced the size of the documentation in values.yaml; it now only contains the essential information.
jetstack · Nov 14, 2024 · 7271bc1 · 7271bc1
1 parent a20e5a3
commit 7271bc1
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 28 deletions.
diff --git a/deploy/charts/venafi-kubernetes-agent/README.md b/deploy/charts/venafi-kubernetes-agent/README.md
@@ -431,11 +431,9 @@ Control Plane.
 
 You can configure Venafi Kubernetes Agent to exclude some annotations or labels from being pushed to the Venafi Control Plane. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the Venafi Control Plane.  
   
-If you would like to exclude annotations keys that contain the word `word`, use the regular expression `.*word.*`. The leading and ending .* are important if you want to filter out keys that contain `word` anywhere in the key string.  
+Dots is the only character that needs to be escaped in the regex. Use either double quotes with escaped single quotes or unquoted strings for the regex to avoid YAML parsing issues with `\.`.  
   
-Note that the annotation `kubectl.kubernetes.io/last-applied-configuration` is already excluded by default, you don't need to exclude it explicitly.  
-  
-Example: excludeAnnotationKeysRegex: ["kapp\.k14s\.io\/original.*"]
+Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*']
 #### **config.excludeLabelKeysRegex** ~ `array`
 > Default value:
 > ```yaml

diff --git a/deploy/charts/venafi-kubernetes-agent/values.schema.json b/deploy/charts/venafi-kubernetes-agent/values.schema.json
@@ -214,7 +214,7 @@
     "helm-values.config.configmap.name": {},
     "helm-values.config.excludeAnnotationKeysRegex": {
       "default": [],
-      "description": "You can configure Venafi Kubernetes Agent to exclude some annotations or labels from being pushed to the Venafi Control Plane. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the Venafi Control Plane.\n\nIf you would like to exclude annotations keys that contain the word `word`, use the regular expression `.*word.*`. The leading and ending .* are important if you want to filter out keys that contain `word` anywhere in the key string.\n\nNote that the annotation `kubectl.kubernetes.io/last-applied-configuration` is already excluded by default, you don't need to exclude it explicitly.\n\nExample: excludeAnnotationKeysRegex: [\"kapp\\.k14s\\.io\\/original.*\"]",
+      "description": "You can configure Venafi Kubernetes Agent to exclude some annotations or labels from being pushed to the Venafi Control Plane. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the Venafi Control Plane.\n\nDots is the only character that needs to be escaped in the regex. Use either double quotes with escaped single quotes or unquoted strings for the regex to avoid YAML parsing issues with `\\.`.\n\nExample: excludeAnnotationKeysRegex: ['^kapp\\.k14s\\.io/original.*']",
       "items": {},
       "type": "array"
     },

diff --git a/deploy/charts/venafi-kubernetes-agent/values.yaml b/deploy/charts/venafi-kubernetes-agent/values.yaml
@@ -114,7 +114,7 @@ podSecurityContext: {}
 securityContext:
   capabilities:
     drop:
-    - ALL
+      - ALL
   readOnlyRootFilesystem: true
   runAsNonRoot: true
 
@@ -230,28 +230,24 @@ config:
   # * https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
   # * https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/#list-of-supported-fields
   ignoredSecretTypes:
-  - kubernetes.io/service-account-token
-  - kubernetes.io/dockercfg
-  - kubernetes.io/dockerconfigjson
-  - kubernetes.io/basic-auth
-  - kubernetes.io/ssh-auth
-  - bootstrap.kubernetes.io/token
-  - helm.sh/release.v1
+    - kubernetes.io/service-account-token
+    - kubernetes.io/dockercfg
+    - kubernetes.io/dockerconfigjson
+    - kubernetes.io/basic-auth
+    - kubernetes.io/ssh-auth
+    - bootstrap.kubernetes.io/token
+    - helm.sh/release.v1
 
   # You can configure Venafi Kubernetes Agent to exclude some annotations or
   # labels from being pushed to the Venafi Control Plane. All Kubernetes objects
   # are affected. The objects are still pushed, but the specified annotations
   # and labels are removed before being sent to the Venafi Control Plane.
   #
-  # If you would like to exclude annotations keys that contain the word `word`,
-  # use the regular expression `.*word.*`. The leading and ending .* are
-  # important if you want to filter out keys that contain `word` anywhere in the
-  # key string.
+  # Dots is the only character that needs to be escaped in the regex. Use either
+  # double quotes with escaped single quotes or unquoted strings for the regex
+  # to avoid YAML parsing issues with `\.`.
   #
-  # Note that the annotation `kubectl.kubernetes.io/last-applied-configuration`
-  # is already excluded by default, you don't need to exclude it explicitly.
-  #
-  # Example: excludeAnnotationKeysRegex: ["kapp\.k14s\.io\/original.*"]
+  # Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*']
   excludeAnnotationKeysRegex: []
   excludeLabelKeysRegex: []
 

diff --git a/pkg/datagatherer/k8s/dynamic_test.go b/pkg/datagatherer/k8s/dynamic_test.go
@@ -618,16 +618,24 @@ func TestDynamicGatherer_Fetch(t *testing.T) {
 			//      username: bXl1c2VybmFtZQ==
 			//
 			//  [1]: https://github.com/carvel-dev/kapp/issues/90#issuecomment-602074356
-			excludeAnnotsKeys: []string{`kapp\.k14s\.io\/original.*`},
-
-			// We haven't found convincing examples of labels that may contain
-			// sensitive information in the wild, so let's go with a dumb
-			// example.
-			excludeLabelKeys: []string{`.*sensitive.*`},
+			//
+			// The regular expression could be:
+			excludeAnnotsKeys: []string{`^kapp\.k14s\.io/original.*`},
+
+			// A somewhat realistic example of labels that would need to be
+			// excluded would be when a company declares ownership using
+			// sensitive identifiers (e.g., employee IDs), and the company
+			// doesn't want these IDs to be exposed. Let's imagine these
+			// employee IDs look like this:
+			//
+			//  company.com/employee-id: 12345
+			//
+			// The regular expression would then be:
+			excludeLabelKeys: []string{`^company\.com/employee-id$`},
 
 			addObjects: []runtime.Object{getObjectAnnot("v1", "Secret", "s0", "n1",
 				map[string]interface{}{"kapp.k14s.io/original": "foo", "kapp.k14s.io/original-diff": "bar", "normal": "true"},
-				map[string]interface{}{"is-sensitive-label": "true", "prod": "true"},
+				map[string]interface{}{`company.com/employee-id`: "12345", "prod": "true"},
 			)},
 			expected: []*api.GatheredResource{{Resource: getObjectAnnot("v1", "Secret", "s0", "n1",
 				map[string]interface{}{"normal": "true"},