• Dean Lewis
    About the speakerDean Lewis

    Senior Technical Marketing Engineer

Cilium Hubble: Redact Sensitive Information From Network Observability Flows

Cilium and Hubble give you deep visibility into the network flows across your cloud-native platform and can inspect and show you meaningful data between the transactions between services, such as URL parameters. Sometimes this data can be classified as sensitive, or even potentially unnecessary when storing the network flows. In Cilium 1.15, the Hubble Redact features provide the ability to sanitize sensitive information from Layer 7 data flows captured by Hubble.


00:00:00:00 – 00:00:13:04
Hello everyone. So inhalable 1.15 release. We added some new reduction features to remove sensitive information from the football network flows out.

00:00:13:04 – 00:00:46:23
Bolt And I’m going to run you through those three new features quickly. So the first one we’re going to look at is the reduction of the user info. So first we make hate speech requests. That includes base compensation, for example. So admin, psyllium proxies, the password. When we look for that request, we can see it in base64. That’s how it works in speech requests and we can decode that back into its plain text so we can see that we’ve just done that live in the terminal.

00:00:47:00 – 00:01:17:09
Now what we’re going to do is enable the reduction using the user info and restart the silly impulse. And now we make that same request. We now have the Hubble redacted as in the authorization field without header. The next one we’re going to look at is redacting an API key that comes from the after application. So again, we can see that in clear text today when we look at the JSON output from Kafka.

00:01:17:12 – 00:01:48:19
So we’re going to update that to redact the Kafka API as we see that here in these new held values we’ve pushed through and we’re waiting for the silly impulse to come available. And now again, when we look for that flow, we can see that the old redacted and finally we’ve got the heap CTP headers themselves. So we’re going to make a request and we’re going to see some particular headers that we’ve put in ourselves.

00:01:48:21 – 00:02:33:13
It’s going to highlight them there for you as well. So into the head of the JSON schema that we’ll look it up, we can see the trace state and we can also see that it being powered by from HP client. We’re going to configure the Hubble to only allow three particular headers and anything else will be denied. And once we update those home values and wait for Hubble to restart as already silly impulse to restart, we now can make that same request and we observe that and we can see that pretty much all of the fields in the headers are redacted apart from the three that we allowed in that configuration.

00:02:33:15 – 00:02:36:03
Really quick and easy to configure those.