docs: document redaction filters for events

Signed-off-by: William Findlay <will@isovalent.com>
cilium · Mar 21, 2024 · 1721427 · 1721427
1 parent 927a847
commit 1721427
Showing 1 changed file with 40 additions and 2 deletions.
diff --git a/docs/content/en/docs/concepts/events.md b/docs/content/en/docs/concepts/events.md
@@ -118,7 +118,45 @@ A default deployment writes the JSON log to `/var/run/cilium/tetragon/tetragon.l
 be exported through normal log collection tooling, e.g. 'fluentd', logstash, etc.. The file will
 be rotated and compressed by default. See [Helm Options] for details on how to customize this location.
 
-#### `tetra` CLI
+#### Redacting Sensitive Information
+
+Since Tetragon traces the entire system, event exports might sometimes contain
+sensitive information (for example, a secret passed via a command line argument
+to a process). To prevent this information from being exfiltrated via Tetragon
+JSON export, Tetragon provides a mechanism called Redaction Filters which can be
+used to select events and string patterns to redact. These filters are written
+in JSON and passed to the Tetragon agent via the `--redaction-filters` command
+line flag or the `redactionFilters` Helm value.
+
+To perform redactions, redaction filters define regular expressions in the
+`redact` field. Any capture groups in these regular expressions are redacted and
+replaced with `"*****"`.
+
+Redaction filters select events using the `match` field, which contains one or
+more filters (these filters are defined the same way as export filters). If no
+match filter is defined, all events are selected.
+
+As a concrete example, the following will redact all passwords passed to
+processes with the `"--password"` argument:
+
+```json
+{"redact": ["--password(?:\s+|=)(\S*)"]}
+```
+
+Now, an event which contains the string `"--password=foo"` would have that string
+replaced with `"--password=*****"`.
+
+Suppose we also see some passwords passed via the -p shorthand for a specific binary, foo.
+We can also redact these as follows:
+
+```json
+{"match": [{"binary_regex": "(?:^|/)foo$"}], "redact": ["-p(?:\s+|=)(\S*)"]}
+```
+
+With both of the above redaction filters in place, we are now redacting all
+password arguments.
+
+### `tetra` CLI
 
 A second way is to use the [`tetra`](https://github.com/cilium/tetragon/tree/main/cmd/tetra) CLI. This
 has the advantage that it can also be used to filter and pretty print the output. The tool
@@ -166,4 +204,4 @@ An example gRPC endpoint is the Tetra CLI when its not piped JSON output directl
 
 ```shell
  kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents -o compact
-```
+```