Data loss prevention (DLP)
Ensure that sensitive data isn’t logged or leaked by masking data in response bodies.
This feature is an Enterprise-only feature that requires a Gloo Gateway Enterprise license.
About data loss prevention
Data Loss Prevention (DLP) is a method of ensuring that sensitive data isn’t logged or leaked. Gloo Gateway accomplishes this by performing a series of regex replacements on the response body.
DLP for response bodies and headers
When you apply a DLP rule, Gloo Gateway completes a series of regex replacements on the body of each response that it processes. For example, consider the following response body that is returned to Gloo Gateway.
{
"fakevisa": "4397945340344828",
"ssn": "123-45-6789"
}
With DLP enabled, Gloo Gateway applies a transformation to the response that masks sensitive data.
{
"fakevisa": "XXXXXXXXXXXX4828",
"ssn": "XXX-XX-X789"
}
DLP for access logs
DLP on access logs is currently not supported for Gloo Gateway in Kubernetes Gateway API mode.
Before you begin
Follow the Get started guide to install Gloo Gateway, set up a gateway resource, and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
Predefined actions for response bodies
Send a request to the httpbin app that returns a fake social security number and VISA credit card number in your response. Verify that the sensitive information is returned unmasked.
Example output:
... { "args": { "fakeamex": [ "349191317465935" ], "ssn": [ "123-45-6789" ] }, "headers": { "Accept": [ "*/*" ], "Host": [ "www.example.com:8080" ], ...
Create a RouteOption resource to define your DLP rules. The following example uses DLP predefined actions to mask the credit card and social security numbers.
kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: dlp namespace: httpbin spec: options: dlp: actions: - actionType: SSN - actionType: ALL_CREDIT_CARDS EOF
Create an HTTPRoute resource that exposes httpbin app on the
dlp.example
domain and applies the DLP rules that you defined.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: httpbin-dlp namespace: httpbin spec: parentRefs: - name: http namespace: gloo-system hostnames: - dlp.example rules: - filters: - type: ExtensionRef extensionRef: group: gateway.solo.io kind: RouteOption name: dlp backendRefs: - name: httpbin port: 8000 EOF
Send a request to the httpbin app on the
dlp.example
domain. Verify that the sensitive information is now masked.Example output:
... { "args": { "fakeamex": [ "XXXXXXXXXXX5935" ], "ssn": [ "XXX-XX-X789" ] }, "headers": { "Accept": [ "*/*" ], "Host": [ "dlp.example:8080" ], ...
Optional: Clean up the resources that you created.
kubectl delete routeoption dlp -n httpbin kubectl delete httproute httpbin-dlp -n httpbin
Custom actions for response bodies
In this example, you mask data in responses by using a custom DLP action.
Send a request to the httpbin app along the
/json
path. Requests to this path return a slideshow example with attributes, such as the author, title, and slideshow items. Verify that you see theauthor
attribute unmasked.Example output:
{ "slideshow": { "author": "Yours Truly", "date": "date of publication", "slides": [ { "title": "Wake up to WonderWidgets!", "type": "all" }, { "items": [ "Why <em>WonderWidgets</em> are great", "Who <em>buys</em> WonderWidgets" ], "title": "Overview", "type": "all" } ], "title": "Sample Slide Show" } }
Create a RouteOption resource to define your DLP rules. The following example creates a custom rule that captures the
author
in the response body and replaces the name of the author with_
characters.kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: dlp namespace: httpbin spec: options: dlp: actions: - customAction: maskChar: "_" name: test # only used for logging percent: value: 100 regexActions: - regex: '"author": [^"]*"([^"]*)"' subgroup: 1 EOF
Create an HTTPRoute resource that exposes httpbin app on the
dlp.example
domain and applies the DLP rules that you defined.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: httpbin-dlp namespace: httpbin spec: parentRefs: - name: http namespace: gloo-system hostnames: - dlp.example rules: - filters: - type: ExtensionRef extensionRef: group: gateway.solo.io kind: RouteOption name: dlp backendRefs: - name: httpbin port: 8000 EOF
Send a request to the httpbin app on the
dlp.example
domain. Verify that the author is now masked.Example output:
{ "slideshow": { "author": "_____ _____", "date": "date of publication", "slides": [ { "title": "Wake up to WonderWidgets!", "type": "all" }, { "items": [ "Why <em>WonderWidgets</em> are great", "Who <em>buys</em> WonderWidgets" ], "title": "Overview", "type": "all" } ], "title": "Sample Slide Show" } }
Optional: Remove the resources that you created.
kubectl delete routeoption dlp -n httpbin kubectl delete httproute httpbin-dlp -n httpbin