Skip to main content

Decision Masking

Decision masking allows you to remove information from each decision before it gets logged.

The following example shows a policy that instructs OPA to remove all data from secrets before logging the decision.

package system.log

mask["/input/request/object/data"] {
input.input.request.kind.kind == "Secret"
}

mask["/input/request/oldObject/data"] {
input.input.request.kind.kind == "Secret"
}

mask["/input/request/object/metadata/annotations"] {
input.input.request.kind.kind == "Secret"
}

mask["/input/request/oldObject/metadata/annotations"] {
input.input.request.kind.kind == "Secret"
}
info

Decision masking is supported by Kubernetes and Envoy systems only.

For more information on decision masking, see the masking sensitive data section.