diff --git a/content/en/infrastructure/containers/configuration.md b/content/en/infrastructure/containers/configuration.md index 274ff0f98b2..8d576e09385 100644 --- a/content/en/infrastructure/containers/configuration.md +++ b/content/en/infrastructure/containers/configuration.md @@ -33,9 +33,19 @@ container_include: ["name:frontend.*"] **Note**: For Agent 5, instead of including the above in the `datadog.conf` main configuration file, explicitly add a `datadog.yaml` file to `/etc/datadog-agent/`, as the Process Agent requires all configuration options here. This configuration only excludes containers from real-time collection, **not** from Autodiscovery. -### Scrubbing sensitive information +### Scrubbing sensitive information from manifests -To prevent the leaking of sensitive data, you can scrub sensitive words in container YAML files. Container scrubbing is enabled by default for Helm charts, and some default sensitive words are provided: +To help prevent leaking sensitive data, the Agent can be configured to scrub the collected Kubernetes YAML manifests. This scrubbing feature is applied to: + +- Annotation values +- Label values +- Probe configurations (HTTP headers and commands) +- Environment variables +- Container exec commands + +The scrubbing algorithm attempts to detect key-value pairs containing secrets based on a set of sensitive keywords, replacing corresponding values with `********`. This logic is applied to structured key-value pairs (such as environment variables) as well as values that look like JSON or YAML content, which may contain key-value pairs within the content. + +Scrubbing is enabled by default using the following sensitive keywords: - `password` - `passwd` @@ -49,14 +59,10 @@ To prevent the leaking of sensitive data, you can scrub sensitive words in conta - `credentials` - `stripetoken` -You can set additional sensitive words by providing a list of words to the environment variable `DD_ORCHESTRATOR_EXPLORER_CUSTOM_SENSITIVE_WORDS`. This adds to, and does not overwrite, the default words. +You can supply additional sensitive keywords by providing a space-delimited list in the environment variable: `DD_ORCHESTRATOR_EXPLORER_CUSTOM_SENSITIVE_WORDS`. This adds to the default words and does not overwrite them. To use this environment variable, you must configure it for following Agents: -**Note**: The additional sensitive words must be in lowercase, as the Agent compares the text with the pattern in lowercase. This means `password` scrubs `MY_PASSWORD` to `MY_*******`, while `PASSWORD` does not. - -You need to setup this environment variable for the following agents: - -- process-agent -- cluster-agent +- Core Agent +- Cluster Agent ```yaml env: @@ -64,6 +70,8 @@ env: value: "customword1 customword2 customword3" ``` +**Note**: Any additional sensitive words must be provided as lowercase strings. The Agent converts text to lowercase before matching for sensitive words. If the sensitive word is `password`, `MY_PASSWORD=1234` is scrubbed to `MY_PASSWORD=********` because the Agent converts `MY_PASSWORD` to `my_password`, which mean the sensitive word `PASSWORD` does not match anything. + For example, because `password` is a sensitive word, the scrubber changes `` in any of the following to a string of asterisks, `***********`: ```text @@ -71,6 +79,7 @@ password password= password: password::::== +config={"password":""} ``` However, the scrubber does not scrub paths that contain sensitive words. For example, it does not overwrite `/etc/vaultd/secret/haproxy-crt.pem` with `/etc/vaultd/******/haproxy-crt.pem` even though `secret` is a sensitive word. diff --git a/content/en/infrastructure/containers/orchestrator_explorer.md b/content/en/infrastructure/containers/orchestrator_explorer.md index 13fd5e9a4aa..8fcca109841 100644 --- a/content/en/infrastructure/containers/orchestrator_explorer.md +++ b/content/en/infrastructure/containers/orchestrator_explorer.md @@ -14,7 +14,7 @@ Orchestrator Explorer requires **Agent version >= 7.27.0** and **Cluster Agent v ## Setup -Ensure that you have [enabled the Process Agent][2]. If you are using Datadog Operator or the official Helm chart, the Orchestrator Explorer is enabled by default. +If you are using Datadog Operator or the official Helm chart, the Orchestrator Explorer is enabled by default. {{< tabs >}} {{% tab "Datadog Operator" %}} @@ -50,8 +50,6 @@ For verification, ensure that the `orchestratorExplorer.enabled` parameter is se datadog: clusterName: # (...) - processAgent: - enabled: true orchestratorExplorer: enabled: true ``` @@ -352,7 +350,6 @@ Percents (`*_pct_*`) are stored as floats, where `0.0` is 0%, and `1.0` is 100%. * In clusters with 1000+ Deployments or ReplicaSets you may notice elevated CPU usage from the Cluster Agent. There is an option to disable container scrubbing in the Helm chart. See [the Helm Chart repo][15] for more details. [1]: https://app.datadoghq.com/orchestration/overview -[2]: /infrastructure/containers/?tab=datadogoperator#setup [9]: /logs [10]: /metrics [11]: /tracing