Data loss prevention (DLP)
Ensure that sensitive data isn’t logged or leaked by masking data in response bodies.
About data loss prevention
Data Loss Prevention (DLP) is a method of ensuring that sensitive data isn’t logged or leaked. Gloo Gateway accomplishes this by performing a series of regex replacements on the response body.
DLP for response bodies and headers
When you apply a DLP rule, Gloo Gateway completes a series of regex replacements on the body of each response that it processes. For example, consider the following response body that is returned to Gloo Gateway.
{
"fakevisa": "4397945340344828",
"ssn": "123-45-6789"
}With DLP enabled, Gloo Gateway applies a transformation to the response that masks sensitive data.
{
"fakevisa": "XXXXXXXXXXXX4828",
"ssn": "XXX-XX-X789"
}DLP for access logs
Before you begin
Get the external address of the gateway and save it in an environment variable.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESSkubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080
Predefined actions for response bodies
Send a request to the httpbin app that returns a fake social security number and VISA credit card number in your response. Verify that the sensitive information is returned unmasked.
curl -vik http://$INGRESS_GW_ADDRESS:8080/anything?fakeamex=349191317465935&ssn=123-45-6789 -H "host: www.example.com:8080"curl -i localhost:8080/anything?fakeamex=349191317465935&ssn=123-45-6789 -H "host: www.example.com"Example output:
... { "args": { "fakeamex": [ "349191317465935" ], "ssn": [ "123-45-6789" ] }, "headers": { "Accept": [ "*/*" ], "Host": [ "www.example.com:8080" ], ...Create a RouteOption resource to define your DLP rules. The following example uses DLP predefined actions to mask the credit card and social security numbers.
kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: dlp namespace: httpbin spec: options: dlp: actions: - actionType: SSN - actionType: ALL_CREDIT_CARDS EOFCreate an HTTPRoute resource that exposes httpbin app on the
dlp.exampledomain and applies the DLP rules that you defined.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: httpbin-dlp namespace: httpbin spec: parentRefs: - name: http namespace: gloo-system hostnames: - dlp.example rules: - filters: - type: ExtensionRef extensionRef: group: gateway.solo.io kind: RouteOption name: dlp backendRefs: - name: httpbin port: 8000 EOFSend a request to the httpbin app on the
dlp.exampledomain. Verify that the sensitive information is now masked.curl -vik http://$INGRESS_GW_ADDRESS:8080/anything?fakeamex=349191317465935&ssn=123-45-6789 -H "host: dlp.example:8080"curl -i localhost:8080/anything?fakeamex=349191317465935&ssn=123-45-6789 -H "host: dlp.example"Example output:
... { "args": { "fakeamex": [ "XXXXXXXXXXX5935" ], "ssn": [ "XXX-XX-X789" ] }, "headers": { "Accept": [ "*/*" ], "Host": [ "dlp.example:8080" ], ...Optional: Clean up the resources that you created.
kubectl delete routeoption dlp -n httpbin kubectl delete httproute httpbin-dlp -n httpbin
Custom actions for response bodies
In this example, you mask data in responses by using a custom DLP action.
Send a request to the httpbin app along the
/jsonpath. Requests to this path return a slideshow example with attributes, such as the author, title, and slideshow items. Verify that you see theauthorattribute unmasked.curl -vik http://$INGRESS_GW_ADDRESS:8080/json -H "host: www.example.com:8080"curl -i localhost:8080/json -H "host: www.example.com"Example output:
{ "slideshow": { "author": "Yours Truly", "date": "date of publication", "slides": [ { "title": "Wake up to WonderWidgets!", "type": "all" }, { "items": [ "Why <em>WonderWidgets</em> are great", "Who <em>buys</em> WonderWidgets" ], "title": "Overview", "type": "all" } ], "title": "Sample Slide Show" } }Create a RouteOption resource to define your DLP rules. The following example creates a custom rule that captures the
authorin the response body and replaces the name of the author with_characters.kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: dlp namespace: httpbin spec: options: dlp: actions: - customAction: maskChar: "_" name: test # only used for logging percent: value: 100 regexActions: - regex: '"author": [^"]*"([^"]*)"' subgroup: 1 EOFCreate an HTTPRoute resource that exposes httpbin app on the
dlp.exampledomain and applies the DLP rules that you defined.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: httpbin-dlp namespace: httpbin spec: parentRefs: - name: http namespace: gloo-system hostnames: - dlp.example rules: - filters: - type: ExtensionRef extensionRef: group: gateway.solo.io kind: RouteOption name: dlp backendRefs: - name: httpbin port: 8000 EOFSend a request to the httpbin app on the
dlp.exampledomain. Verify that the author is now masked.curl -vik http://$INGRESS_GW_ADDRESS:8080/json -H "host: dlp.example:8080"curl -i localhost:8080/json -H "host: dlp.example"Example output:
{ "slideshow": { "author": "_____ _____", "date": "date of publication", "slides": [ { "title": "Wake up to WonderWidgets!", "type": "all" }, { "items": [ "Why <em>WonderWidgets</em> are great", "Who <em>buys</em> WonderWidgets" ], "title": "Overview", "type": "all" } ], "title": "Sample Slide Show" } }Optional: Remove the resources that you created.
kubectl delete routeoption dlp -n httpbin kubectl delete httproute httpbin-dlp -n httpbin