Protecting your data

Our agent gathers data which is then sent to the Jetstack Secure Platform SaaS backend for analysis. The data that is sent is configured in the agent's config file.

Data gathered with the default configuration

The default agent config (which can be reviewed and modified during installation) gathers the following data from a Kubernetes cluster:

  • Pods
  • Services
  • ReplicaSets
  • Deployments
  • Ingresses
  • Certificates
  • CertificateRequests
  • Secrets
    • We do not collect the private keys from Kubernetes secrets
    • When collecting a secret the following steps are taken:
    • If the secret is of type kubernetes.io/tls then all keys are removed except tls.crt and ca.crt. This allows Jetstack Secure to check properties of certificates without getting access to the private key.
    • All keys and values of the secret are removed.
  • For all resources, the annotation last-applied-configuration is removed, as that can hold secret data

The code that implements this can be reviewed on GitHub.

As part of installation the agent needs to be granted RBAC access to the resources that it will collect. It cannot access anything that it is not granted access to by the RBAC policy. The default RBAC policy can be reviewed during installation.

It is also possible to configure the agent to collect data from GKE. Again the data collected by the agent is controlled by Google Cloud IAM, meaning it cannot access any data that it is not granted access to. If configured to collect data from GKE the agent will collect the configuration data of the GKE cluster.

On this page