Skip to content

About Discovery Agent data protection

Discovery Agent for Next-Gen Trust Security sends data to Next-Gen Trust Security for analysis based on a configuration file.

Default data collection

The default configuration gathers the following resources from a Kubernetes cluster:

  • admissionregistration.k8s.io/v1 Mutatingwebhookconfigurations
  • admissionregistration.k8s.io/v1 Validatingwebhookconfigurations
  • apps/v1 Daemonsets
  • apps/v1 Deployments
  • apps/v1 Statefulsets
  • awspca.cert-manager.io/v1beta1 Awspcaclusterissuers
  • awspca.cert-manager.io/v1beta1 Awspcaissuers
  • batch/v1 Cronjobs
  • batch/v1 Jobs
  • cas-issuer.jetstack.io/v1beta1 Googlecasclusterissuers
  • cas-issuer.jetstack.io/v1beta1 Googlecasissuers
  • cert-manager.io/v1 Certificaterequests
  • cert-manager.io/v1 Certificates
  • cert-manager.io/v1 Clusterissuers
  • cert-manager.io/v1 Issuers
  • cert-manager.k8s.cloudflare.com/v1 Clusteroriginissuers
  • cert-manager.k8s.cloudflare.com/v1 Originissuers
  • certmanager.freeipa.org/v1beta1 Clusterissuers
  • certmanager.freeipa.org/v1beta1 Issuers
  • certmanager.step.sm/v1beta1 Stepclusterissuers
  • certmanager.step.sm/v1beta1 Stepissuers
  • ejbca-issuer.keyfactor.com/v1alpha1 Clusterissuers
  • ejbca-issuer.keyfactor.com/v1alpha1 Issuers
  • firefly.venafi.com/v1 Issuers
  • jetstack.io/v1alpha1 Venaficlusterissuers
  • jetstack.io/v1alpha1 Venaficonnections
  • jetstack.io/v1alpha1 Venafiissuers
  • networking.istio.io/v1alpha3 Gateways
  • networking.istio.io/v1alpha3 Virtualservices
  • networking.k8s.io/v1 Ingresses
  • route.openshift.io/v1 Routes
  • v1 Namespaces
  • v1 Pods
  • v1 Secrets
  • v1 Services

Next-Gen Trust Security does not collect private keys from Kubernetes secrets. When collecting a secret:

  • If the secret is of type kubernetes.io/tls, all keys are removed except tls.crt and ca.crt. This allows Next-Gen Trust Security to check certificate properties without accessing the private key.
  • For all other secret types, all keys and values are removed.
  • For all resources, Next-Gen Trust Security removes the last-applied-configuration annotation because it can contain secret data.

Review the filtering implementation on GitHub.

RBAC access

Discovery Agent requires RBAC access to the resources it collects and cannot access anything outside its RBAC policy. You can review the default RBAC policy during installation; the built in Kubernetes "view" role is used alongside a custom role allowing permission to view Kubernetes custom resources.