Privacy and Security

Robusta was designed with security in mind. Our four guiding security principles are:

  1. Less is more: Don't send mountains of observability data when small subsets of the right data will do.

  2. Secure by default, configurable if necessary: Do the right thing for most companies by default. Make it easy for companies with stricter compliance needs to lock-down Robusta further or run it on-prem.

  3. Design for security: Secure systems are designed to be secure from day one. Discuss security when planning new features.

  4. Experience matters: Hire engineers who have built secure enterprise platforms before. Make security a core part of company culture.

Data Privacy

The Robusta Open Source doesn't store persistent information itself. Information is sent to destinations (sinks) like Slack or MSTeams, and they are responsible for storing it.

By default, the following data is sent to sinks. It can be customized if necessary.

  • Prometheus alerts

  • Alert enrichments, or insights. (Example: an alert for high memory usage will include a memory graph.)

  • Technical events from Kubernetes itself. (Example: notifications on crashing pods, K8s warning events.)

  • Logs from unhealthy pods. (Note: Robusta does not gather logs continuously, rather only from crashing or misbehaving pods.)

SaaS UI

When the Robusta SaaS platform is enabled (optional), it receives the above data, as well as metadata about nodes and workloads in your cluster. This is used, for example, to show you when deployments were updated and what YAML fields changed.

All data in the SaaS platform is encrypted at rest and stored in accordance with industry standards.

If necessary, the SaaS UI can be run on-prem as part of our paid plans. Contact support@robusta.dev for details.

Running Robusta in Airgapped Environments

Refer to Deploying Behind Proxies.

To run the Robusta UI on premise, speak to our team.

Handling Secrets in Robusta's Helm Values

Refer to Managing Secrets.

Censoring Sensitive Data

Pod logs gathered by Robusta can be censored using Python regular expressions. For example, a payment processing pod might have credit card numbers or other sensitive information in its logs. These can be automatically sanitized before they appear in notifications.

How to Enable Log Censoring for All Logs

To censor sensitive information in all logs, add the following to your Helm values file:

globalConfig:
  regex_replacement_style: SAME_LENGTH_ASTERISKS  # Alternative: NAMED
  regex_replacer_patterns:
    - name: CreditCard
      regex: "[0-9]{4}[- ][0-9]{4}[- ][0-9]{4}[- ][0-9]{4}"
    - name: Email
      regex: "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
    - name: UUID
      regex: "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"

After adding these values, perform a Helm upgrade:

helm upgrade robusta robusta/robusta -f values.yaml

Example: Before and After Censoring

Given the following pod log:

# Original pod log:
2022-07-28 08:24:45.283 INFO     user's uuid: '193836d9-9cce-4df9-a454-c2edcf2e80e5'
2022-07-28 08:35:00.762 INFO     Customer email: user@example.com
2022-07-28 08:35:01.090 INFO     Payment processed with card: 4111-1111-1111-1111

The censored output will appear as:

# Using SAME_LENGTH_ASTERISKS style:
2022-07-28 08:24:45.283 INFO     user's uuid: '************************************'
2022-07-28 08:35:00.762 INFO     Customer email: ****************
2022-07-28 08:35:01.090 INFO     Payment processed with card: *******************

# Using NAMED style:
2022-07-28 08:24:45.283 INFO     user's uuid: '[UUID]'
2022-07-28 08:35:00.762 INFO     Customer email: [Email]
2022-07-28 08:35:01.090 INFO     Payment processed with card: [CreditCard]

Note: This censoring applies to logs displayed in Robusta's built-in notifications, including those shown by the following Robusta actions:

  • logs_enricher - Shows container logs in various alerts

  • report_crash_loop - Shows container logs for crashing pods

Limiting Robusta's Access in Your Cluster

To reduce the permissions that Robusta needs in your cluster:

  1. Set monitorHelmReleases: false in Robusta's Helm values file. (Monitoring helm releases is an optional feature that requires granting Robusta access to K8s secrets containing helm metadata.)

  2. On OpenShift you can deploy Robusta with a limited SCC - refer to OpenShift

To further limit Robusta's permissions, speak to our team for guidance.