From 7271bc12aa1ae44f23118657fdd0e49fb813860f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Wed, 13 Nov 2024 11:08:32 +0100 Subject: [PATCH] annot-exclusion: use concrete examples such as employee ID and Kapp I've also reduced the size of the documentation in values.yaml; it now only contains the essential information. --- .../charts/venafi-kubernetes-agent/README.md | 6 ++-- .../values.schema.json | 2 +- .../venafi-kubernetes-agent/values.yaml | 28 ++++++++----------- pkg/datagatherer/k8s/dynamic_test.go | 22 ++++++++++----- 4 files changed, 30 insertions(+), 28 deletions(-) diff --git a/deploy/charts/venafi-kubernetes-agent/README.md b/deploy/charts/venafi-kubernetes-agent/README.md index f148b8f8..af9098f9 100644 --- a/deploy/charts/venafi-kubernetes-agent/README.md +++ b/deploy/charts/venafi-kubernetes-agent/README.md @@ -431,11 +431,9 @@ Control Plane. You can configure Venafi Kubernetes Agent to exclude some annotations or labels from being pushed to the Venafi Control Plane. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the Venafi Control Plane. -If you would like to exclude annotations keys that contain the word `word`, use the regular expression `.*word.*`. The leading and ending .* are important if you want to filter out keys that contain `word` anywhere in the key string. +Dots is the only character that needs to be escaped in the regex. Use either double quotes with escaped single quotes or unquoted strings for the regex to avoid YAML parsing issues with `\.`. -Note that the annotation `kubectl.kubernetes.io/last-applied-configuration` is already excluded by default, you don't need to exclude it explicitly. - -Example: excludeAnnotationKeysRegex: ["kapp\.k14s\.io\/original.*"] +Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*'] #### **config.excludeLabelKeysRegex** ~ `array` > Default value: > ```yaml diff --git a/deploy/charts/venafi-kubernetes-agent/values.schema.json b/deploy/charts/venafi-kubernetes-agent/values.schema.json index b4b755f1..dea7c43c 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.schema.json +++ b/deploy/charts/venafi-kubernetes-agent/values.schema.json @@ -214,7 +214,7 @@ "helm-values.config.configmap.name": {}, "helm-values.config.excludeAnnotationKeysRegex": { "default": [], - "description": "You can configure Venafi Kubernetes Agent to exclude some annotations or labels from being pushed to the Venafi Control Plane. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the Venafi Control Plane.\n\nIf you would like to exclude annotations keys that contain the word `word`, use the regular expression `.*word.*`. The leading and ending .* are important if you want to filter out keys that contain `word` anywhere in the key string.\n\nNote that the annotation `kubectl.kubernetes.io/last-applied-configuration` is already excluded by default, you don't need to exclude it explicitly.\n\nExample: excludeAnnotationKeysRegex: [\"kapp\\.k14s\\.io\\/original.*\"]", + "description": "You can configure Venafi Kubernetes Agent to exclude some annotations or labels from being pushed to the Venafi Control Plane. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the Venafi Control Plane.\n\nDots is the only character that needs to be escaped in the regex. Use either double quotes with escaped single quotes or unquoted strings for the regex to avoid YAML parsing issues with `\\.`.\n\nExample: excludeAnnotationKeysRegex: ['^kapp\\.k14s\\.io/original.*']", "items": {}, "type": "array" }, diff --git a/deploy/charts/venafi-kubernetes-agent/values.yaml b/deploy/charts/venafi-kubernetes-agent/values.yaml index cdd24794..bff466bb 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.yaml +++ b/deploy/charts/venafi-kubernetes-agent/values.yaml @@ -114,7 +114,7 @@ podSecurityContext: {} securityContext: capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsNonRoot: true @@ -230,28 +230,24 @@ config: # * https://kubernetes.io/docs/concepts/configuration/secret/#secret-types # * https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/#list-of-supported-fields ignoredSecretTypes: - - kubernetes.io/service-account-token - - kubernetes.io/dockercfg - - kubernetes.io/dockerconfigjson - - kubernetes.io/basic-auth - - kubernetes.io/ssh-auth - - bootstrap.kubernetes.io/token - - helm.sh/release.v1 + - kubernetes.io/service-account-token + - kubernetes.io/dockercfg + - kubernetes.io/dockerconfigjson + - kubernetes.io/basic-auth + - kubernetes.io/ssh-auth + - bootstrap.kubernetes.io/token + - helm.sh/release.v1 # You can configure Venafi Kubernetes Agent to exclude some annotations or # labels from being pushed to the Venafi Control Plane. All Kubernetes objects # are affected. The objects are still pushed, but the specified annotations # and labels are removed before being sent to the Venafi Control Plane. # - # If you would like to exclude annotations keys that contain the word `word`, - # use the regular expression `.*word.*`. The leading and ending .* are - # important if you want to filter out keys that contain `word` anywhere in the - # key string. + # Dots is the only character that needs to be escaped in the regex. Use either + # double quotes with escaped single quotes or unquoted strings for the regex + # to avoid YAML parsing issues with `\.`. # - # Note that the annotation `kubectl.kubernetes.io/last-applied-configuration` - # is already excluded by default, you don't need to exclude it explicitly. - # - # Example: excludeAnnotationKeysRegex: ["kapp\.k14s\.io\/original.*"] + # Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*'] excludeAnnotationKeysRegex: [] excludeLabelKeysRegex: [] diff --git a/pkg/datagatherer/k8s/dynamic_test.go b/pkg/datagatherer/k8s/dynamic_test.go index d925fae0..5af02bad 100644 --- a/pkg/datagatherer/k8s/dynamic_test.go +++ b/pkg/datagatherer/k8s/dynamic_test.go @@ -618,16 +618,24 @@ func TestDynamicGatherer_Fetch(t *testing.T) { // username: bXl1c2VybmFtZQ== // // [1]: https://github.com/carvel-dev/kapp/issues/90#issuecomment-602074356 - excludeAnnotsKeys: []string{`kapp\.k14s\.io\/original.*`}, - - // We haven't found convincing examples of labels that may contain - // sensitive information in the wild, so let's go with a dumb - // example. - excludeLabelKeys: []string{`.*sensitive.*`}, + // + // The regular expression could be: + excludeAnnotsKeys: []string{`^kapp\.k14s\.io/original.*`}, + + // A somewhat realistic example of labels that would need to be + // excluded would be when a company declares ownership using + // sensitive identifiers (e.g., employee IDs), and the company + // doesn't want these IDs to be exposed. Let's imagine these + // employee IDs look like this: + // + // company.com/employee-id: 12345 + // + // The regular expression would then be: + excludeLabelKeys: []string{`^company\.com/employee-id$`}, addObjects: []runtime.Object{getObjectAnnot("v1", "Secret", "s0", "n1", map[string]interface{}{"kapp.k14s.io/original": "foo", "kapp.k14s.io/original-diff": "bar", "normal": "true"}, - map[string]interface{}{"is-sensitive-label": "true", "prod": "true"}, + map[string]interface{}{`company.com/employee-id`: "12345", "prod": "true"}, )}, expected: []*api.GatheredResource{{Resource: getObjectAnnot("v1", "Secret", "s0", "n1", map[string]interface{}{"normal": "true"},