Venafi Kubernetes Agent data protection¶
The Venafi Kubernetes Agent gathers data and sends them to the Venafi Control Plane backend for analysis. The Venafi Kubernetes Agent configuration file defines which data the software sends to the Venafi Control Plane backend.
Data gathered by default
The default agent configuration (which you can review and modify during installation) gathers the following data from a Kubernetes cluster:
- Pods
- Services
- ReplicaSets
- Deployments
- Ingresses
- Certificates
- CertificateRequests
- Secrets
-
Venafi Control Plane doesn't collect private keys from Kubernetes secrets. When collecting a secret, the following steps are taken:
- If the secret is of type
kubernetes.io/tls
then all keys are removed, excepttls.crt
andca.crt
. This allows TLS Protect for Kubernetes to check the properties of certificates without access to the private key. - All keys and values of the secret are removed.
- If the secret is of type
-
For all resources, Venafi Control Plane removes the annotation
last-applied-configuration
, as that can hold secret data.
You can review the code that implements this on GitHub.
As part of the installation process, the agent needs RBAC access to the resources that it collects. It can't access anything that it's not granted access to by the RBAC policy. You can review the default RBAC policy review during installation.
You can also configure the agent to collect data from GKE (Google Kubernetes Agent). The Google Cloud IAM controls the data that the agent collects, so it can't access any data that it's not granted access to. If configured to collect data from GKE, the agent collects the GKE cluster configuration data.