Data loss prevention (DLP)
Ensure that sensitive data isn’t logged or leaked by masking data in response bodies.
This feature is an Enterprise-only feature that requires a Gloo Gateway Enterprise license.
About data loss prevention
Data Loss Prevention (DLP) is a method of ensuring that sensitive data isn’t logged or leaked. Gloo Gateway accomplishes this by performing a series of regex replacements on the response body.
DLP for response bodies and headers
When you apply a DLP rule, Gloo Gateway completes a series of regex replacements on the body of each response that it processes. For example, consider the following response body that is returned to Gloo Gateway.
{
"fakevisa": "4397945340344828",
"ssn": "123-45-6789"
}
With DLP enabled, Gloo Gateway applies a transformation to the response that masks sensitive data.
{
"fakevisa": "XXXXXXXXXXXX4828",
"ssn": "XXX-XX-X789"
}
DLP for access logs
DLP on access logs is currently not supported for Gloo Gateway in Kubernetes Gateway API mode.
Before you begin
Follow the Get started guide to install Gloo Gateway, set up a gateway resource, and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
Predefined actions for response bodies
Send a request to the httpbin app that returns a fake social security number and VISA credit card number in your response. Verify that the sensitive information is returned unmasked.
Example output:
... { "args": { "fakeamex": [ "349191317465935" ], "ssn": [ "123-45-6789" ] }, "headers": { "Accept": [ "*/*" ], "Host": [ "www.example.com:8080" ], ...Create a RouteOption resource to define your DLP rules. The following example uses DLP predefined actions to mask the credit card and social security numbers.
kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: dlp namespace: httpbin spec: options: dlp: actions: - actionType: SSN - actionType: ALL_CREDIT_CARDS EOFCreate an HTTPRoute resource that exposes httpbin app on the
dlp.exampledomain and applies the DLP rules that you defined.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: name: httpbin-dlp namespace: httpbin spec: parentRefs: - name: http namespace: gloo-system hostnames: - dlp.example rules: - filters: - type: ExtensionRef extensionRef: group: gateway.solo.io kind: RouteOption name: dlp backendRefs: - name: httpbin port: 8000 EOFSend a request to the httpbin app on the
dlp.exampledomain. Verify that the sensitive information is now masked.Example output:
... { "args": { "fakeamex": [ "XXXXXXXXXXX5935" ], "ssn": [ "XXX-XX-X789" ] }, "headers": { "Accept": [ "*/*" ], "Host": [ "dlp.example:8080" ], ...Optional: Clean up the resources that you created.
kubectl delete routeoption dlp -n httpbin kubectl delete httproute httpbin-dlp -n httpbin
Custom actions for response bodies
In this example, you mask data in responses by using a custom DLP action.
Send a request to the httpbin app along the
/jsonpath. Requests to this path return a slideshow example with attributes, such as the author, title, and slideshow items. Verify that you see theauthorattribute unmasked.Example output:
{ "slideshow": { "author": "Yours Truly", "date": "date of publication", "slides": [ { "title": "Wake up to WonderWidgets!", "type": "all" }, { "items": [ "Why <em>WonderWidgets</em> are great", "Who <em>buys</em> WonderWidgets" ], "title": "Overview", "type": "all" } ], "title": "Sample Slide Show" } }Create a RouteOption resource to define your DLP rules. The following example creates a custom rule that captures the
authorin the response body and replaces the name of the author with_characters.kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: dlp namespace: httpbin spec: options: dlp: actions: - customAction: maskChar: "_" name: test # only used for logging percent: value: 100 regexActions: - regex: '"author": [^"]*"([^"]*)"' subgroup: 1 EOFCreate an HTTPRoute resource that exposes httpbin app on the
dlp.exampledomain and applies the DLP rules that you defined.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: name: httpbin-dlp namespace: httpbin spec: parentRefs: - name: http namespace: gloo-system hostnames: - dlp.example rules: - filters: - type: ExtensionRef extensionRef: group: gateway.solo.io kind: RouteOption name: dlp backendRefs: - name: httpbin port: 8000 EOFSend a request to the httpbin app on the
dlp.exampledomain. Verify that the author is now masked.Example output:
{ "slideshow": { "author": "_____ _____", "date": "date of publication", "slides": [ { "title": "Wake up to WonderWidgets!", "type": "all" }, { "items": [ "Why <em>WonderWidgets</em> are great", "Who <em>buys</em> WonderWidgets" ], "title": "Overview", "type": "all" } ], "title": "Sample Slide Show" } }Optional: Remove the resources that you created.
kubectl delete routeoption dlp -n httpbin kubectl delete httproute httpbin-dlp -n httpbin