Preflight checks and support bundles include built-in redactors that hide sensitive customer data before it is analyzed. These default redactors hide passwords, tokens, AWS secrets, database connection strings, and URLs that contain usernames and passwords.
The default redactors can be disabled using the command line only. Replicated recommends leaving the redactors enabled.
For Replicated KOTS, you can add custom redactors to support bundles using the Redactor custom resource manifest file. For example, you can redact API keys or account numbers, depending on your customer needs. For more information about redactors, see Redacting Data in the Troubleshoot documentation.
Defining Custom Redactors
You can add custom redactors to KOTS using the following basic Redactor custom resource manifest file (
Objects and Fields
A redactor supports two objects:
removals. These objects specify the files the redactor applies to and how the redactions occur. For more information and examples of these fields, see Example Redactor below and Redactors in the Troubleshoot documentation.
fileSelector object determines which files the redactor is applied to. If this object is omitted from the manifest file, the redactor is applied to all files. This object supports the following optional fields:
|(Optional) Specifies a single file for redaction.|
|(Optional) Specifies multiple files for redaction.|
Globbing is used to match files. For example,
/my/test/glob/file, but does not match
removals object is required and defines the redactions that occur. This object supports the following fields. At least one of these fields must be specified:
|(Optional) Allows a regular expression to be applied for removal and redaction on lines that immediately follow a line that matches a filter. The |
Matches to the regex are removed or redacted, depending on the construction of the regex. Any portion of a match not contained within a capturing group is removed entirely. The contents of capturing groups tagged
|(Optional) Specifies values to replace with the string |
|(Optional) Specifies a |
Files that fail to parse as YAML or do not contain any matches are not modified. Files that do contain matches are re-rendered, which removes comments and custom formatting. Multi-document YAML is not fully supported. Only the first document is checked for matches, and if a match is found, later documents are discarded entirely.
KOTS Redactor Example
The following example shows
yamlPath redaction for a support bundle:
- name: all files # as no file is specified, this redactor will run against all files
- redactor: (another)(?P<mask>.*)(here) # this will replace anything between the strings `another` and `here` with `***HIDDEN***`
- selector: 'S3_ENDPOINT' # remove the value in lines immediately following those that contain the string `S3_ENDPOINT`
redactor: '("value": ").*(")'
- "abc.xyz.*" # redact all items in the array at key `xyz` within key `abc` in YAML documents