Protecting your data
Our agent gathers data which is then sent to the Jetstack Secure Platform SaaS backend for analysis. The data that is sent is configured in the agent's config file.
Data gathered with the default configuration
The default agent config (which can be reviewed and modified during installation) gathers the following data from a Kubernetes cluster:
- Pods
- Services
- ReplicaSets
- Deployments
- Ingresses
- Certificates
- CertificateRequests
- Secrets
- We do not collect the private keys from Kubernetes secrets
- When collecting a secret the following steps are taken:
- If the secret is of type
kubernetes.io/tlsthen all keys are removed excepttls.crtandca.crt. This allows Jetstack Secure to check properties of certificates without getting access to the private key. - All keys and values of the secret are removed.
- For all resources, the annotation
last-applied-configurationis removed, as that can hold secret data
The code that implements this can be reviewed on GitHub.
As part of installation the agent needs to be granted RBAC access to the resources that it will collect. It cannot access anything that it is not granted access to by the RBAC policy. The default RBAC policy can be reviewed during installation.
It is also possible to configure the agent to collect data from GKE. Again the data collected by the agent is controlled by Google Cloud IAM, meaning it cannot access any data that it is not granted access to. If configured to collect data from GKE the agent will collect the configuration data of the GKE cluster.