Hubble: add option to sanitize sensitive L7 data from flows

[rolinh]

Hubble has the capability of providing visibility on L7 protocols such as HTTP or Kafka. This layer 7 protocol visibility feature is opt-in and requires users to either create a L7 policy or to add explicit pod annotations to be enabled. Layer 7 Hubble flows, however, may contain sensitive information, for instance as part of some HTTP headers or in a URL itself.

Hubble should provide an option for users to decide which potentially sensitive L7 data to keep in Hubble flows and it should be finely configurable.

• HTTP URL: sanitize user info part (ie the optional username and password details for a URL), on/off: hubble: Conditionally redact user info present in URLs in (L7) HTTP flows #28848
• HTTP URL: remove query and fragment part of a URL, on/off: Hubble: Add option to remove query from HTTP flows #25746
• HTTP Headers: use a list of allowed HTTP header fields. A default list (e.g. tracing related fields) could be provided. Any header not in the list will have it's value sanitized (the key should be preserved). Add option to redact http headers #26724
• Kafka: redact API key, on/off: Hubble: improve security by adding an option to redact API key in Kafka requests (L7) #25844
• DNS: probably nothing to do.

[github-actions]

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

[ioandr]

Hi @rolinh,

we would like to take a stab on this with @ChrsMark, maybe we could split the items you listed.

Looking at the codebase we understand that we need to extend Hubble's Layer 7 parser and implement the described logic there. This is similar to how Hubble's Layer 7 parser already redacts the user's password to not include it in the network flow. Does this hold?

Thanks!

[rolinh]

Hi @ioandr,

we would like to take a stab on this with @ChrsMark, maybe we could split the items you listed.

Nice! I'm happy to create sub-issues if that helps but we can otherwise simply add your github handle next to each of the task.

Looking at the codebase we understand that we need to extend Hubble's Layer 7 parser and implement the described logic there. This is similar to how Hubble's Layer 7 parser already redacts the user's password to not include it in the network flow. Does this hold?

Yes, that's the way to do it indeed.

Thanks for your contributions!

[ioandr]

Hi @rolinh

we would like to continue working on the rest of the items listed in #23887 (comment) so that we can deliver the whole L7 redaction/sanitization feature in Hubble.

At your convenience please advise on the following items to make sure we are on the same page and we start with the implementation:

1. Redact HTTP password: in Hubble: improve security by adding an option to redact API key in Kafka requests (L7) #25844 (comment) @kaworu suggested that redaction of HTTP passwords should be configurable. This makes sense and seems to be aligned with what we did for Kafka API key and URL query parameters. As @ChrsMark suggested in Hubble: improve security by adding an option to redact API key in Kafka requests (L7) #25844 (comment) we can configure Hubble to redact HTTP passwords by default - if you agree we add an extra item in the description of the current issue for this as it came up as a follow-up.
2. Sanitize user info part in URL: we interpret sanitize here as:
   • username: ensure lowercase, check for disallowed/suspicious special characters (https://xkcd.com/327/ 😬)
   • password: ensure minimum length, check for standard values that one should avoid (e.g., "root", "admin", "12345", etc.)
3. Sanitize HTTP headers: we understand that Hubble should maintain a list of "trusted" HTTP headers that it does not need to sanitize. Then. Hubble should sanitize the value of any other header it captures in L7 flows, leaving its key unchecked/untouched. Similar to 2, we interpret sanitize here as:
   • HTTP header value: check for max length, check for disallowed/suspicious special characters

Maybe we could keep sanitization logic in a single place and reuse it from multiple places. Other than the above, it seems that Envoy itself provides a list of HTTP headers that it potentially sanitizes:

https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/header_sanitizing

Maybe we could get some inspiration from this, given that Cilium itself ships with Envoy.

We are looking forward to your thoughts on the above - once again, we can split tasks with @ChrsMark

[kaworu]

Thanks @ioandr for the detailed comment!

1. Redact HTTP password: in Hubble: improve security by adding an option to redact API key in Kafka requests (L7) #25844 (comment) @kaworu suggested that redaction of HTTP passwords should be configurable. This makes sense and seems to be aligned with what we did for Kafka API key and URL query parameters. As @ChrsMark suggested in Hubble: improve security by adding an option to redact API key in Kafka requests (L7) #25844 (comment) we can configure Hubble to redact HTTP passwords by default - if you agree we add an extra item in the description of the current issue for this as it came up as a follow-up.

Sounds good to me but again, I'd like some consistency around defaults. In my view, both Kafka API keys and HTTP passwords are secrets (in every context) and we should apply the same default redact policy. Redacting Kafka API keys by default would be the less intrusive option as changing the default for HTTP password would be a kind of "breaking change" and has security implications.

Agree that the issue description is lacking in terms of what "sanitize" means concretely. In my opinion: because at the Hubble level we don't know in which context theses value are going to be used we shouldn't modify them. It's up to consumers inserting into a SQL database to take the usual precautions about theses tainted values, so should do consumers generating HTML, printing to a Terminal, etc. cc @rolinh to clarify the intent.

[…] t seems that Envoy itself provides a list of HTTP headers that it potentially sanitizes:

https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/header_sanitizing

While the list is interesting, I think it covers a different use-case. In a reverse-proxy setup (edge node / front-proxy in Envoy documentation) it is critical to "sanitize" some headers (e.g. x-forwarded-for) while passing other as-is (e.g. authentication). In the Hubble case we should do nothing about the former but care about the latter (since it can include sensitive information, e.g. JWT or user/password credentials).

[ioandr]

Sounds good to me but again, I'd like some consistency around defaults. In my view, both Kafka API keys and HTTP passwords are secrets (in every context) and we should apply the same default redact policy. Redacting Kafka API keys by default would be the less intrusive option as changing the default for HTTP password would be a kind of "breaking change" and has security implications.

With @ChrsMark we agree on this, so we can do the following:

1. Expose a new option to redact HTTP password and enable it by default
2. Modify the existing option to redact Kafka API key to enable it by default
3. Leave the existing option to redact URL query params as is (disabled by default)

I can send a small, dedicated PR for 1 and 2 listed above.

Agree that the issue description is lacking in terms of what "sanitize" means concretely.

While the list is interesting, I think it covers a different use-case

Regarding sanitization let's wait for some feedback by @rolinh who originally opened the issue to decide how we will move forward.