-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathschema.json
214 lines (214 loc) · 10.9 KB
/
schema.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
{
"$schema": "http://json-schema.org/draft-07/schema",
"description": "This configuration defines the behaviour of the must-gather-clean CLI. The CLI helps to obfuscate and omit output from OpenShift debug information ('must-gathers'). You can find more information in our GitHub repository at https://github.com/openshift/must-gather-clean.",
"required": [
"config"
],
"title": "must-gather-clean configuration file schema",
"type": "object",
"properties": {
"config": {
"description": "There are two main sections, \"omit\" which defines the omission behaviour and \"obfuscate\" which defines the obfuscation behaviour.",
"required": [],
"title": "must-gather-clean omission and obfuscation definitions",
"type": "object",
"properties": {
"obfuscate": {
"description": "The obfuscation schema determines what is being detected and how it is being replaced. We ship with several built-in replacements for common types such as IP or MAC, Keywords and Regex. The replacements are done in order of the whole list, so you can define chains of replacements that built on top of one another - for example replacing a keyword and later matching its replacement with a regex. The input to the given replacements are always a line of text (string). Since file names and directories can also have private content in them, they are also processed as a line - exactly as they would with file content.",
"examples": [
[
{
"type": "IP",
"replacementType": "Consistent",
"target": "All"
},
{
"type": "MAC"
},
{
"type": "Domain",
"domainNames": ["rhcloud.com", "dev.rhcloud.com"]
},
{
"type": "Regex",
"target": "FilePath",
"regex": "release-4.10/ingress_controllers/*/haproxy.*"
},
{
"type": "Regex",
"target": "FileContents",
"regex": ".*ssl-min-ver TLSv1.2$"
},
{
"type": "Keywords",
"replacement": {
"hello": "bye",
"true": "false"
}
},
{
"type": "Keywords",
"target": "FilePath",
"replacement": {
"some_secret": "redacted"
}
}
]
],
"title": "Obfuscation Schema",
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/Definitions/obfuscate"
}
},
"omit": {
"type": "array",
"title": "Omission Schema",
"description": "The omission schema defines what kind of files shall not be included in the final must-gather. This can be seen as a filter and can operate on file paths or Kubernetes and OpenShift and other custom resources. Omissions are settled first in the process of obfuscating a must-gather, so its content won't be scanned and replaced.",
"examples": [
[
{
"type": "Kubernetes",
"kubernetesResource": {
"kind": "Secret"
}
},
{
"type": "Kubernetes",
"kubernetesResource": {
"kind": "ConfigMap",
"namespaces": [
"kube-system"
]
}
},
{
"type": "Kubernetes",
"kubernetesResource": {
"kind": "CertificateSigningRequest",
"apiVersion": "certificates.k8s.io/v1"
}
},
{
"type": "File",
"pattern": "*.log"
},
{
"type": "File",
"pattern": "release-4.10/ingress_controllers/*/haproxy.*"
},
{
"type": "File",
"pattern": "*/namespaces/openshift-sdn/pods/*/openvswitch/openvswitch/logs/current.log"
}
]
],
"additionalItems": true,
"items": {
"$ref": "#/Definitions/omit"
}
}
},
"additionalProperties": true
}
},
"Definitions": {
"obfuscate": {
"type": "object",
"required": [
"type"
],
"properties": {
"type": {
"type": "string",
"enum": [
"Domain",
"IP",
"Keywords",
"MAC",
"Regex"
],
"description": "type defines the kind of detection you want to use. For example IP will find IP addresses, whereas Keywords will find keywords defined in the 'replacement' mapping. Domain must be used in conjunction with the 'domainNames' property, that defines what domains should be obfuscated. MAC currently only supports static replacement where a detected mac address will be replaced by 'x'. Regex should be used with the 'regex' property that will define the regex, here the replacement also will be static by 'x'-ing out the matched string."
},
"domainNames": {
"description": "The list of domains and their subdomains which should be obfuscated in the output, only used with the type Domain obfuscator.",
"type": "array",
"items": {
"type": "string"
}
},
"target": {
"type": "string",
"default": "FileContents",
"enum": [
"FilePath",
"FileContents",
"All"
],
"description": "This determines if the obfuscation should be performed on the file path (relative path from the must-gather root folder) or on the file contents. The file contents are obfuscated by default."
},
"replacementType": {
"type": "string",
"default": "Static",
"enum": [
"Consistent",
"Static"
],
"description": "This defines how the detected string will be replaced. Type 'Consistent' will guarantee the same input will always create the same output string. 'Static' is used by default and will just try to mask the matching input."
},
"replacement": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "on replacement 'Keywords', this will override a given input string with another output string. On duplicate keys it will use the last defined value as replacement. The input values are matched in a case-sensitive fashion and only as a full words, substrings must be matched using a regex."
},
"regex": {
"type": "string",
"description": "when replacementType 'Regex' is used, the supplied Golang regexp (https://pkg.go.dev/regexp) will be used to detect the string that should be replaced. The regex is line based, spanning multi-line regex statements is not supported."
}
}
},
"omit": {
"type": "object",
"required": [
"type"
],
"properties": {
"type": {
"type": "string",
"enum": [
"Kubernetes",
"File",
"SymbolicLink"
]
},
"kubernetesResource": {
"type": "object",
"properties": {
"apiVersion": {
"type": "string",
"description": "This defines the apiVersion of the kubernetes resource. That can be used to further refine specific versions of a resource that should be omitted."
},
"kind": {
"type": "string",
"description": "This defines the kind of kubernetes resource that should be omitted. This can be further specified with the apiVersion and namespaces."
},
"namespaces": {
"type": "array",
"items": {
"type": "string"
},
"description": "This defines the namespaces which are supposed to be omitted. When used together with kind and apiVersions, it becomes a filter. Standalone it will be used as a filter for all resources in a given namespace."
}
}
},
"pattern": {
"type": "string",
"description": "A file glob pattern on file paths relative to the must-gather root. The pattern should be as described in https://pkg.go.dev/path/filepath#Match"
}
}
}
}
}