From 95dfdb40aaff52b8cd72d2c91ee755d274780a3a Mon Sep 17 00:00:00 2001
From: Paolo Polidori <paolo.polidori@sysdig.com>
Date: Tue, 15 Jul 2025 09:47:32 +0200
Subject: [PATCH] feat(integrations/pub-sub): narrower default filter

---
 modules/integrations/pub-sub/variables.tf | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/modules/integrations/pub-sub/variables.tf b/modules/integrations/pub-sub/variables.tf
index e490efa..40334bd 100644
--- a/modules/integrations/pub-sub/variables.tf
+++ b/modules/integrations/pub-sub/variables.tf
@@ -88,7 +88,28 @@ variable "exclude_logs_filter" {
     filter      = string,
     disabled    = optional(bool)
   }))
-  default = []
+  default = [
+    {
+      name        = "system_principals"
+      description = "Exclude system principals"
+      filter      = "protoPayload.authenticationInfo.principalEmail=~\"^system\\:.*\" AND (protoPayload.authenticationInfo.principalEmail!~\"^system\\:(anonymous|serviceaccount)*\" OR protoPayload.authenticationInfo.principalEmail=~\"^system\\:serviceaccount\\:kube-system\")"
+    },
+    {
+      name        = "k8s_audit"
+      description = "Exclude logs from the clusters control planes"
+      filter      = "protoPayload.methodName=~\"^(io\\.k8s|io\\.traefik|us\\.containo|io\\.x-k8s|io\\.gke|org\\.projectcalico|io\\.openshift|io\\.istio)\" AND protoPayload.methodName!~\"secret\""
+    },
+    {
+      name        = "ciulium_control_plane"
+      description = "Exclude operations on Cilium"
+      filter      = "protoPayload.methodName=~\"^io\\.cilium\" AND protoPayload.methodName!~\"identitites\""
+    },
+    {
+      name        = "monitoring_queries"
+      description = "Exclude monitoring queries"
+      filter      = "protoPayload.methodName=~\"^com\\.coreos\""
+    }
+  ]
 }
 
 variable "ingestion_sink_filter" {