annot-exclusion: it is now possible to exclude labels and annotations

Author: maelvls

deploy/charts/venafi-kubernetes-agent/README.md

@@ -423,6 +423,26 @@ Control Plane.
 > ```yaml
 > helm.sh/release.v1
 > ```
+#### **config.excludeAnnotationKeysRegex** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+You can configure Venafi Kubernetes Agent to exclude some annotations or labels from being pushed to the Venafi Control Plane. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the Venafi Control Plane.  
+  
+If you would like to exclude annotations keys that contain the word  
+`secret`, use the regular expression `.*secret.*`. The leading and ending .*  
+are important if you want to filter out keys that contain `secret` anywhere in the key string.  
+  
+Note that the annotation `kubectl.kubernetes.io/last-applied-configuration` is already excluded by default, you don't need to exclude it explicitly.  
+  
+Example: excludeAnnotationKeysRegex: [".*secret.*"]
+#### **config.excludeLabelKeysRegex** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
 #### **config.configmap.name** ~ `unknown`
 > Default value:
 > ```yaml

deploy/charts/venafi-kubernetes-agent/templates/configmap.yaml

@@ -13,6 +13,10 @@ data:
     cluster_description: {{ .Values.config.clusterDescription | quote }}
     server: {{ .Values.config.server | quote }}
     period: {{ .Values.config.period | quote }}
+    exclude-annotation-keys-regex:
+      {{ .Values.config.excludeAnnotationKeysRegex | nindent 6 }}
+    exclude-label-keys-regex:
+      {{ .Values.config.excludeLabelKeysRegex | nindent 6 }}
     venafi-cloud:
       uploader_id: "no"
       upload_path: "/v1/tlspk/upload/clusterdata"

deploy/charts/venafi-kubernetes-agent/values.schema.json

@@ -165,6 +165,12 @@
         "configmap": {
           "$ref": "#/$defs/helm-values.config.configmap"
         },
+        "excludeAnnotationKeysRegex": {
+          "$ref": "#/$defs/helm-values.config.excludeAnnotationKeysRegex"
+        },
+        "excludeLabelKeysRegex": {
+          "$ref": "#/$defs/helm-values.config.excludeLabelKeysRegex"
+        },
         "ignoredSecretTypes": {
           "$ref": "#/$defs/helm-values.config.ignoredSecretTypes"
         },
@@ -206,6 +212,17 @@
     },
     "helm-values.config.configmap.key": {},
     "helm-values.config.configmap.name": {},
+    "helm-values.config.excludeAnnotationKeysRegex": {
+      "default": [],
+      "description": "You can configure Venafi Kubernetes Agent to exclude some annotations or labels from being pushed to the Venafi Control Plane. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the Venafi Control Plane.\n\nIf you would like to exclude annotations keys that contain the word\n`secret`, use the regular expression `.*secret.*`. The leading and ending .*\nare important if you want to filter out keys that contain `secret` anywhere in the key string.\n\nNote that the annotation `kubectl.kubernetes.io/last-applied-configuration` is already excluded by default, you don't need to exclude it explicitly.\n\nExample: excludeAnnotationKeysRegex: [\".*secret.*\"]",
+      "items": {},
+      "type": "array"
+    },
+    "helm-values.config.excludeLabelKeysRegex": {
+      "default": [],
+      "items": {},
+      "type": "array"
+    },
     "helm-values.config.ignoredSecretTypes": {
       "items": {
         "$ref": "#/$defs/helm-values.config.ignoredSecretTypes[0]"

deploy/charts/venafi-kubernetes-agent/values.yaml

@@ -238,6 +238,23 @@ config:
   - bootstrap.kubernetes.io/token
   - helm.sh/release.v1
 
+  # You can configure Venafi Kubernetes Agent to exclude some annotations or
+  # labels from being pushed to the Venafi Control Plane. All Kubernetes objects
+  # are affected. The objects are still pushed, but the specified annotations
+  # and labels are removed before being sent to the Venafi Control Plane.
+  #
+  # If you would like to exclude annotations keys that contain the word
+  # `secret`, use the regular expression `.*secret.*`. The leading and ending .*
+  # are important if you want to filter out keys that contain `secret` anywhere
+  # in the key string.
+  #
+  # Note that the annotation `kubectl.kubernetes.io/last-applied-configuration`
+  # is already excluded by default, you don't need to exclude it explicitly.
+  #
+  # Example: excludeAnnotationKeysRegex: [".*secret.*"]
+  excludeAnnotationKeysRegex: []
+  excludeLabelKeysRegex: []
+
   # Specify ConfigMap details to load config from an existing resource.
   # This should be blank by default unless you have you own config.
   configmap:

pkg/agent/config.go

@@ -5,6 +5,7 @@ import (
 	"io"
 	"net/url"
 	"os"
+	"regexp"
 	"time"
 
 	"github.com/go-logr/logr"
@@ -54,6 +55,12 @@ type Config struct {
 	InputPath string `yaml:"input-path"`
 	// For testing purposes.
 	OutputPath string `yaml:"output-path"`
+
+	// Skips annotation keys that match the given set of regular expressions.
+	// Example: ".*someprivateannotation.*".
+	ExcludeAnnotationKeysRegex []string `yaml:"exclude-annotation-keys-regex"`
+	// Skips label keys that match the given set of regular expressions.
+	ExcludeLabelKeysRegex []string `yaml:"exclude-label-keys-regex"`
 }
 
 type Endpoint struct {
@@ -339,7 +346,9 @@ type CombinedConfig struct {
 	VenConnNS   string
 
 	// VenafiCloudKeypair and VenafiCloudVenafiConnection modes only.
-	DisableCompression bool
+	DisableCompression         bool
+	ExcludeAnnotationKeysRegex []*regexp.Regexp
+	ExcludeLabelKeysRegex      []*regexp.Regexp
 
 	// Only used for testing purposes.
 	OutputPath string
@@ -585,6 +594,27 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 		res.DisableCompression = flags.DisableCompression
 	}
 
+	// Validation of the config fields exclude_annotation_keys_regex and
+	// exclude_label_keys_regex.
+	{
+		for i, regex := range cfg.ExcludeAnnotationKeysRegex {
+			r, err := regexp.Compile(regex)
+			if err != nil {
+				errs = multierror.Append(errs, fmt.Errorf("invalid exclude_annotation_keys_regex[%d]: %w", i, err))
+				continue
+			}
+			res.ExcludeAnnotationKeysRegex = append(res.ExcludeAnnotationKeysRegex, r)
+		}
+		for i, regex := range cfg.ExcludeLabelKeysRegex {
+			r, err := regexp.Compile(regex)
+			if err != nil {
+				errs = multierror.Append(errs, fmt.Errorf("invalid exclude_label_keys_regex[%d]: %w", i, err))
+				continue
+			}
+			res.ExcludeLabelKeysRegex = append(res.ExcludeLabelKeysRegex, r)
+		}
+	}
+
 	if errs != nil {
 		return CombinedConfig{}, nil, errs
 	}

pkg/agent/run.go

@@ -34,6 +34,7 @@ import (
 	"github.com/jetstack/preflight/api"
 	"github.com/jetstack/preflight/pkg/client"
 	"github.com/jetstack/preflight/pkg/datagatherer"
+	"github.com/jetstack/preflight/pkg/datagatherer/k8s"
 	"github.com/jetstack/preflight/pkg/kubeconfig"
 	"github.com/jetstack/preflight/pkg/logs"
 	"github.com/jetstack/preflight/pkg/version"
@@ -176,6 +177,12 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) {
 			return fmt.Errorf("failed to instantiate %q data gatherer  %q: %v", kind, dgConfig.Name, err)
 		}
 
+		dynDg, isDynamicGatherer := newDg.(*k8s.DataGathererDynamic)
+		if isDynamicGatherer {
+			dynDg.ExcludeAnnotKeys = config.ExcludeAnnotationKeysRegex
+			dynDg.ExcludeLabelKeys = config.ExcludeLabelKeysRegex
+		}
+
 		log.V(logs.Debug).Info("Starting DataGatherer", "name", dgConfig.Name)
 
 		// start the data gatherers and wait for the cache sync

pkg/datagatherer/k8s/dynamic.go

@@ -3,6 +3,7 @@ package k8s
 import (
 	"context"
 	"fmt"
+	"regexp"
 	"strings"
 	"time"
 
@@ -260,6 +261,9 @@ type DataGathererDynamic struct {
 	// informer watches the events around the targeted resource and updates the cache
 	informer     k8scache.SharedIndexInformer
 	registration k8scache.ResourceEventHandlerRegistration
+
+	ExcludeAnnotKeys []*regexp.Regexp
+	ExcludeLabelKeys []*regexp.Regexp
 }
 
 // Run starts the dynamic data gatherer's informers for resource collection.
@@ -338,7 +342,7 @@ func (g *DataGathererDynamic) Fetch() (interface{}, int, error) {
 	}
 
 	// Redact Secret data
-	err := redactList(items)
+	err := redactList(items, g.ExcludeAnnotKeys, g.ExcludeLabelKeys)
 	if err != nil {
 		return nil, -1, errors.WithStack(err)
 	}
@@ -349,7 +353,7 @@ func (g *DataGathererDynamic) Fetch() (interface{}, int, error) {
 	return list, len(items), nil
 }
 
-func redactList(list []*api.GatheredResource) error {
+func redactList(list []*api.GatheredResource, excludeAnnotKeys, excludeLabelKeys []*regexp.Regexp) error {
 	for i := range list {
 		if item, ok := list[i].Resource.(*unstructured.Unstructured); ok {
 			// Determine the kind of items in case this is a generic 'mixed' list.
@@ -374,6 +378,43 @@ func redactList(list []*api.GatheredResource) error {
 
 			// remove managedFields from all resources
 			Redact(RedactFields, resource)
+
+			annotsRaw, ok, err := unstructured.NestedFieldNoCopy(resource.Object, "metadata", "annotations")
+			if err != nil {
+				return fmt.Errorf("wasn't able to find the metadata.annotations field: %w", err)
+			}
+			if ok {
+				annots, ok := annotsRaw.(map[string]interface{})
+				if !ok {
+					return fmt.Errorf("metadata.annotations isn't a map on the resource %s in namespace %s: %w", resource.GetName(), resource.GetNamespace(), err)
+				}
+				for key := range annots {
+					for _, excludeAnnotKey := range excludeAnnotKeys {
+						if excludeAnnotKey.MatchString(key) {
+							delete(annots, key)
+						}
+					}
+				}
+			}
+
+			labelsRaw, ok, err := unstructured.NestedFieldNoCopy(resource.Object, "metadata", "labels")
+			if err != nil {
+				return fmt.Errorf("wasn't able to find the metadata.labels field for the resource %s in namespace %s: %w", resource.GetName(), resource.GetNamespace(), err)
+			}
+			if ok {
+				labels, ok := labelsRaw.(map[string]interface{})
+				if !ok {
+					return fmt.Errorf("metadata.labels isn't a map on the resource %s in namespace %s: %w", resource.GetName(), resource.GetNamespace(), err)
+				}
+				for key := range labels {
+					for _, excludeLabelKey := range excludeLabelKeys {
+						if excludeLabelKey.MatchString(key) {
+							delete(labels, key)
+						}
+					}
+				}
+			}
+
 			continue
 		}
 
@@ -386,6 +427,24 @@ func redactList(list []*api.GatheredResource) error {
 			item.GetObjectMeta().SetManagedFields(nil)
 			delete(item.GetObjectMeta().GetAnnotations(), "kubectl.kubernetes.io/last-applied-configuration")
 
+			annots := item.GetObjectMeta().GetAnnotations()
+			for key := range annots {
+				for _, excludeAnnotKey := range excludeAnnotKeys {
+					if excludeAnnotKey.MatchString(key) {
+						delete(annots, key)
+					}
+				}
+			}
+
+			labels := item.GetObjectMeta().GetLabels()
+			for key := range labels {
+				for _, excludeLabelKey := range excludeLabelKeys {
+					if excludeLabelKey.MatchString(key) {
+						delete(labels, key)
+					}
+				}
+			}
+
 			resource := item.(runtime.Object)
 			gvks, _, err := scheme.Scheme.ObjectKinds(resource)
 			if err != nil {