anonymization

package

v0.0.0-...-50525ba Latest Latest Go to latest Published: Apr 13, 2026 License: Apache-2.0 Imports: 27 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/openshift/insights-operator

Links

Open Source Insights

Documentation ¶

Overview ¶

Package anonymization provides Anonymizer which is used to anonymize sensitive data. At the moment, anonymization is applied to all the data before storing it in the archive(see AnonymizeMemoryRecordFunction). If you want to enable the anonymization you need to set "enableGlobalObfuscation" to "true" in config or "support" secret in "openshift-config" namespace, the anonymizer object then will be created and used (see pkg/controller/operator.go and pkg/controller/gather_job.go). When enabled, the following data will be anonymized:

cluster base domain. For example, if the cluster base domain is `openshift.example.com`, all the occurrences of this keyword will be replaced with `<CLUSTER_BASE_DOMAIN>`, `cluster-api.openshift.example.com` will become `cluster-api.<CLUSTER_BASE_DOMAIN>`
IPv4 addresses. Using a config client, it retrieves cluster networks and uses them to anonymize IP addresses preserving subnet information. For example, if you have the following networks in your cluster: "10.128.0.0/14", "172.30.0.0/16", "127.0.0.0/8"(added by default) the anonymization will handle the IPs like this:
10.128.0.0 -> 10.128.0.0 // subnetwork itself won't be anonymized
10.128.0.55 -> 10.128.0.1
10.128.0.56 -> 10.128.0.2
10.128.0.55 -> 10.128.0.1 // anonymizer maintains a translation table to replace the same original IPs with the same obfuscated IPs
10.129.0.0 -> 10.128.0.3
172.30.0.5 -> 172.30.0.1 // new subnet, so we use a new set of fake IPs
127.0.0.1 -> 127.0.0.1 // it was the first IP, so the new IP matched the original in this case
10.0.134.130 -> 0.0.0.0 // ip doesn't match any subnet, we replace such IPs with 0.0.0.0

Index ¶

Constants
Variables
func GetNetworksForAnonymizerFromRecords(records map[string]*record.MemoryRecord) ([]string, error)
type Anonymizer
- func NewAnonymizer(specificAnonymizer ...DataAnonymizer) (*Anonymizer, error)
- func (anonymizer *Anonymizer) AnonymizeData(memoryRecord *record.MemoryRecord) (*record.MemoryRecord, error)
- func (anonymizer *Anonymizer) IsAnonymizerTypeEnabled(anonymizerType AnonymizerType) bool
type AnonymizerType
type DataAnonymizer
type NetworkAnonymizer
- func NewNetworkAnonymizerFromConfig(ctx context.Context, gatherKubeConfig *rest.Config, ...) (*NetworkAnonymizer, error)
- func NewNetworkAnonymizerFromConfigClient(ctx context.Context, kubeClient kubernetes.Interface, ...) (*NetworkAnonymizer, error)
type NetworkAnonymizerBuilder

Constants ¶

View Source

const (
	Ipv4Regex                            = `((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)`
	Ipv4NetworkRegex                     = Ipv4Regex + "/([0-9]{1,2})"
	Ipv4AddressOrNetworkRegex            = Ipv4Regex + "(/([0-9]{1,2}))?"
	ClusterBaseDomainPlaceholder         = "<CLUSTER_BASE_DOMAIN>"
	ClusterHostPlaceholder               = "<CLUSTER_DOMAIN_HOST>"
	UnableToCreateAnonymizerErrorMessage = "Unable to create anonymizer, " +
		"some data won't be anonymized(ipv4 and cluster base domain). The error is %v"
)

norevive

Variables ¶

View Source

var (
	// TranslationTableSecretName defines the secret name to store the translation table
	TranslationTableSecretName = "obfuscation-translation-table" //nolint: gosec

)

Functions ¶

func GetNetworksForAnonymizerFromRecords ¶

func GetNetworksForAnonymizerFromRecords(records map[string]*record.MemoryRecord) ([]string, error)

Types ¶

type Anonymizer ¶

type Anonymizer struct {
	Anonymizers []DataAnonymizer
}

Anonymizer is used to anonymize sensitive data. Config can be used to enable anonymization of cluster base domain and obfuscation of IPv4 addresses

func NewAnonymizer ¶

func NewAnonymizer(specificAnonymizer ...DataAnonymizer) (*Anonymizer, error)

func (*Anonymizer) AnonymizeData ¶

func (anonymizer *Anonymizer) AnonymizeData(memoryRecord *record.MemoryRecord) (*record.MemoryRecord, error)

func (*Anonymizer) IsAnonymizerTypeEnabled ¶

func (anonymizer *Anonymizer) IsAnonymizerTypeEnabled(anonymizerType AnonymizerType) bool

type AnonymizerType ¶

type AnonymizerType string

const (
	NetworkAnonymizerType AnonymizerType = "networking"
)

type DataAnonymizer ¶

type DataAnonymizer interface {
	// AnonymizeData processes the given memory record and returns anonymized version.
	AnonymizeData(memoryRecord *record.MemoryRecord) (*record.MemoryRecord, error)
	// IsEnabled returns if anonymizer is enabled and should be applied.
	IsEnabled() bool
	// GetType returns the type of the anonymizer implementation.
	GetType() AnonymizerType
}

type NetworkAnonymizer ¶

type NetworkAnonymizer struct {
	// contains filtered or unexported fields
}

func NewNetworkAnonymizerFromConfig ¶

func NewNetworkAnonymizerFromConfig(
	ctx context.Context,
	gatherKubeConfig *rest.Config,
	gatherProtoKubeConfig *rest.Config,
	protoKubeConfig *rest.Config,
	configurator configobserver.Interface,
	dataPolicy []insightsv1.DataPolicyOption,
) (*NetworkAnonymizer, error)

func NewNetworkAnonymizerFromConfigClient ¶

func NewNetworkAnonymizerFromConfigClient(
	ctx context.Context,
	kubeClient kubernetes.Interface,
	gatherKubeClient kubernetes.Interface,
	configClient configv1client.ConfigV1Interface,
	networkClient networkv1client.NetworkV1Interface,
	configurator configobserver.Interface,
	dataPolicies []insightsv1.DataPolicyOption,
	sensitiveVals map[string]string,
) (*NetworkAnonymizer, error)

func (*NetworkAnonymizer) AnonymizeData ¶

func (na *NetworkAnonymizer) AnonymizeData(memoryRecord *record.MemoryRecord) (*record.MemoryRecord, error)

AnonymizeMemoryRecord takes record.MemoryRecord, removes the sensitive data from it and returns the same object

func (*NetworkAnonymizer) GetType ¶

func (na *NetworkAnonymizer) GetType() AnonymizerType

func (*NetworkAnonymizer) IsEnabled ¶

func (na *NetworkAnonymizer) IsEnabled() bool

IsObfuscationEnabled returns true if obfuscation(hiding IP and domain names) is enabled and false otherwise

func (*NetworkAnonymizer) ObfuscateIP ¶

func (na *NetworkAnonymizer) ObfuscateIP(ipStr string) string

ObfuscateIP takes an IP as a string and returns obfuscated version. If it exists in the translation table, we just take it from there, if it doesn't, we create an obfuscated version of this IP and record it to the translation table

func (*NetworkAnonymizer) ResetTranslationTable ¶

func (na *NetworkAnonymizer) ResetTranslationTable()

ResetTranslationTable resets the translation table, so that the translation table of multiple gathers won't mix together.

func (*NetworkAnonymizer) StoreTranslationTable ¶

func (na *NetworkAnonymizer) StoreTranslationTable() *corev1.Secret

StoreTranslationTable stores the translation table in a Secret in the openshift-insights namespace. The actual data is stored in the StringData portion of the Secret.

type NetworkAnonymizerBuilder ¶

type NetworkAnonymizerBuilder struct {
	// contains filtered or unexported fields
}

func (*NetworkAnonymizerBuilder) Build ¶

func (b *NetworkAnonymizerBuilder) Build() (*NetworkAnonymizer, error)

func (*NetworkAnonymizerBuilder) WithConfigClient ¶

func (b *NetworkAnonymizerBuilder) WithConfigClient(configClient v1.ConfigV1Interface) *NetworkAnonymizerBuilder

func (*NetworkAnonymizerBuilder) WithConfigurator ¶

func (b *NetworkAnonymizerBuilder) WithConfigurator(configurator configobserver.Interface) *NetworkAnonymizerBuilder

func (*NetworkAnonymizerBuilder) WithDataPolicies ¶

func (b *NetworkAnonymizerBuilder) WithDataPolicies(dataPolicy ...insightsv1.DataPolicyOption) *NetworkAnonymizerBuilder

func (*NetworkAnonymizerBuilder) WithKubeClient ¶

func (b *NetworkAnonymizerBuilder) WithKubeClient(kubeClient kubernetes.Interface) *NetworkAnonymizerBuilder

func (*NetworkAnonymizerBuilder) WithNetworkClient ¶

func (b *NetworkAnonymizerBuilder) WithNetworkClient(networkClient networkv1client.NetworkV1Interface) *NetworkAnonymizerBuilder

func (*NetworkAnonymizerBuilder) WithNetworks ¶

func (b *NetworkAnonymizerBuilder) WithNetworks(networks []string) *NetworkAnonymizerBuilder

func (*NetworkAnonymizerBuilder) WithRunningInCluster ¶

func (b *NetworkAnonymizerBuilder) WithRunningInCluster(runningInCluster bool) *NetworkAnonymizerBuilder

func (*NetworkAnonymizerBuilder) WithSecretsClient ¶

func (b *NetworkAnonymizerBuilder) WithSecretsClient(client corev1client.SecretInterface) *NetworkAnonymizerBuilder

func (*NetworkAnonymizerBuilder) WithSensitiveValue ¶

func (b *NetworkAnonymizerBuilder) WithSensitiveValue(value, placeholder string) *NetworkAnonymizerBuilder

WithSensitiveValue adds terms that are obfuscated by the anonymizer in the records. It works as a key-value map, where all instances of 'value' are replaced by 'placeholder'.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL