Decision Masking
Decision masking allows you to remove information from each decision before it gets logged by OPA in DAS. The system.log
package in the system's policy bundle defines decision masking rules. When you add a Kubernetes system, an example decision masking policy is automatically added to your system. You can view and modify the Decision Mask
policy via the UI as you would any other policy (see Figure 1 below).
As with other policies, decision masking can also be defined at the stack level and applied to a system.
Additional information on decision masking in DAS can be found in the Decision Logs - Decision Masking documentation.
Example Policy
The following example shows the default decision masking policy added to Kubernetes systems. This policy instructs OPA to remove remove all data for Kubernetes Secrets from requests before logging the decision.
package system.log
mask["/input/request/object/data"] {
input.input.request.kind.kind == "Secret"
}
mask["/input/request/oldObject/data"] {
input.input.request.kind.kind == "Secret"
}
mask["/input/request/object/metadata/annotations"] {
input.input.request.kind.kind == "Secret"
}
mask["/input/request/oldObject/metadata/annotations"] {
input.input.request.kind.kind == "Secret"
}
You may also want to mask Kubernetes ConfigMaps (kind == "ConfigMap"
) if your system's ConfigMaps store information which should not be included in decision logs.