-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wip: Establish Security section for OTel documentation #3652
Conversation
content/en/docs/security/otel-collector-configuration-best-practices.md
Outdated
Show resolved
Hide resolved
extensions are similar to receivers and exporters so the same security | ||
considerations apply. | ||
|
||
### Observers [component developers?] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Am not familiar with Observers. Is this content related to component developers? If so, I can remove it from this PR for end users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is for end-users. Perhaps an example would be useful here, for users to understand what they can do with observers.
Here's one such example, where a redis receiver is created if a redis pod is found on a Kubernetes cluster:
cc @rmfitzpatrick , @dmitryax
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amended the header here, since Observers are for end-users. 👍
An example here would be good to have. Still need to incorporate what you shared, @jpkrohling, but I appreciate the resource you shared!
content/en/docs/security/otel-collector-configuration-best-practices.md
Outdated
Show resolved
Hide resolved
connection established SHOULD be over a secure and authenticated channel. | ||
- Unused receivers and exporters SHOULD be disabled to minimize the attack | ||
vector of the Collector. | ||
- Receivers and Exporters MAY expose buffer, queue, payload, and/or worker |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has a mixed audience: the first sentence targets component developers, then it proceeds with advice for users. I would rewrite as:
Some receivers and exporters might allow you tweak internal queues, buffers, and other parameters. Experiment with these values, but remember that values that are too wide (such as a large queue number) might mean that the Collector will attempt to use more memory than a setting with a smaller value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, @jpkrohling! For values that are too wide, rather than:
remember that values that are too wide (such as a large queue number) might mean that the Collector will attempt to use more memory than a setting with a smaller value.
Would it be more accurate to describe as:
remember that if the values are too wide, such as a large queue number, then the OTel Collector may use more memory than necessary, compared to using a setting with a smaller value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jpkrohling Circling back to ask your feedback on the above ^
Improperly setting these values may expose the OpenTelemetry Collector to | ||
additional attack vectors including resource exhaustion. | ||
|
||
It is possible that a receiver MAY require the OpenTelemetry Collector run in a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would remove this if we don't have any such component today.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we ask a specific person or team for confirmation about this assertion? (This sentence is located in the inspiration document here:https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md?plain=1#L124 )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jpkrohling Circling back to ask if there's an answer for the above-mentioned question?
content/en/docs/security/otel-collector-configuration-best-practices.md
Outdated
Show resolved
Hide resolved
content/en/docs/security/otel-collector-configuration-best-practices.md
Outdated
Show resolved
Hide resolved
data to a third-party backend. The OpenTelemetry Collector **SHOULD** be | ||
configured to obfuscate or scrub sensitive data before exporting. | ||
|
||
<!--- TODO: SHOULD configure obfuscation/scrubbing of sensitive metadata. How? Give more details and/or link to an existing document --> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The transform processor is the best one for this use case nowadays: https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor/transformprocessor
content/en/docs/security/otel-collector-configuration-best-practices.md
Outdated
Show resolved
Hide resolved
extensions are similar to receivers and exporters so the same security | ||
considerations apply. | ||
|
||
### Observers [component developers?] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is for end-users. Perhaps an example would be useful here, for users to understand what they can do with observers.
Here's one such example, where a redis receiver is created if a redis pod is found on a Kubernetes cluster:
cc @rmfitzpatrick , @dmitryax
content/en/docs/security/otel-collector-configuration-best-practices.md
Outdated
Show resolved
Hide resolved
## Permissions | ||
|
||
<!--- TODO: SHOULD not run the OpenTelemetry Collector as root/admin user. Why? (Give the reader motivation.) How do you do that? | ||
- NOTE: MAY require privileged access for some components --> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Collector SHOULD NOT require privileged access, except where the data it's obtaining is in a privileged location. For instance, in order to get pod logs by mounting a node volume, the Collector daemonset needs enough privileges to get that data.
The rule of least privilege applies here.
|
||
## Receivers and Exporters | ||
|
||
<!--- TODO: SHOULD limit exposure of servers to authorized users. How do you do that? --> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Authentication (bearer token auth extension, basic auth extension)
- By restricting the IPs the collector is running
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Initial drive-by comments.
content/en/docs/security/otel-collector-configuration-best-practices.md
Outdated
Show resolved
Hide resolved
Thinking about the "where to put this" once again: We now have established
I think we should go for option (2) but at the same time add a "Practices" page under /docs/security/practices that will list collector (and later other components as well) and link back to the component specific security, wdyt? |
Thinking out "loud", there are two moments I'm concerned about security for my collector:
For the first situation, I'd prefer the security documentation to be close to the getting started, so that I can have an idea whether the collector satisfies my security needs. During the second situation, I think I'd prefer it close to the collector documentation again, as I probably don't care about the security aspects of the SDK or other parts. In summary: I'm with you that placing it closer to the collector makes sense, as long as there's a reference to it from within the /security pages. |
I vote put it in the collector docs and agree we can link out to it |
@svrnm My question is why not have the content in both locations? (This may not be possible with the functionality/architecture of the OTel docs site, but I still ask the question.) I agree that when setting up the OTel Collector, information on securing your OTel Collector is very relevant and should exist within the OTel Collector documentation. In the original vision by establishing this Security section, we're also:
|
We can certainly do this (somehow), but this often comes with some additional questions: is this a redirect (so people go from /security to /collector), is it just the same content presented at 2 places, what is the point where this list outgrows that (I assume that we eventually will have security best practices across the docs). To make it short: yes, we can do that, but we might reconsider it eventually.
This seems to be untouched by the decision where this content lives. Even if we have it only in the collector section I would want to have a /security/practices page that gives a general overview and then links out to relevant pages like the collector security pages. |
When setting up the OpenTelemetry (OTel) Collector, consider implementing | ||
security best practices in both your hosting infrastructure and your OTel | ||
Collector configuration. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we explain briefly in the intro what's at stake here? Why should someone care about securing the OpenTelemetry Collector? Is it a painful process? What knowledge is required?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You ask great questions @theletterf! If you have the answers, I'm happy to put them in this document. I defer to the SMEs to answer these questions otherwise. At the very least, I will file issues if these questions aren't answered or incorporated by the time we merge this PR.
content/en/docs/security/otel-collector-configuration-best-practices.md
Outdated
Show resolved
Hide resolved
content/en/docs/security/otel-collector-configuration-best-practices.md
Outdated
Show resolved
Hide resolved
content/en/docs/security/otel-collector-configuration-best-practices.md
Outdated
Show resolved
Hide resolved
content/en/docs/security/otel-collector-configuration-best-practices.md
Outdated
Show resolved
Hide resolved
|
||
<!--- TODO: SHOULD configure obfuscation/scrubbing of sensitive metadata. How? Give more details and/or link to an existing document --> | ||
|
||
Use OpenTelemetry Collector's `redaction` processor to scrub sensitive data. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd remove this line or provide an example in a subsection.
extension are only accessibly locally to the OpenTelemetry Collector. Care | ||
should be taken when configuring these extensions for remote access as sensitive | ||
information may be exposed as a result. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extension are only accessibly locally to the OpenTelemetry Collector. Care | |
should be taken when configuring these extensions for remote access as sensitive | |
information may be exposed as a result. | |
extension are only accessibly locally to the OpenTelemetry Collector. Take | |
care to protect access to sensitive information when configuring these | |
extensions, as they might expose it accidentally. |
An observer is capable of performing service discovery of endpoints. Other | ||
components of the OpenTelemetry Collector such as receivers MAY subscribe to | ||
these extensions to be notified of endpoints coming or going. Observers MAY | ||
require certain permissions in order to perform service discovery. For example, | ||
the `k8s_observer` requires certain RBAC permissions in Kubernetes, while the | ||
`host_observer` requires the OpenTelemetry Collector to run in privileged mode. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An observer is capable of performing service discovery of endpoints. Other | |
components of the OpenTelemetry Collector such as receivers MAY subscribe to | |
these extensions to be notified of endpoints coming or going. Observers MAY | |
require certain permissions in order to perform service discovery. For example, | |
the `k8s_observer` requires certain RBAC permissions in Kubernetes, while the | |
`host_observer` requires the OpenTelemetry Collector to run in privileged mode. | |
An observer is a component that discovers services in endpoints. Other | |
components of the OpenTelemetry Collector such as receivers can subscribe to | |
these extensions to be notified of endpoints coming or going. | |
Observers might require certain permissions in order to discover services. | |
For example, the `k8s_observer` requires certain RBAC permissions in | |
Kubernetes, while the `host_observer` observer requires to run the | |
OpenTelemetry Collector in privileged mode. |
content/en/docs/security/otel-collector-hosting-best-practices.md
Outdated
Show resolved
Hide resolved
@mjingle Thanks SO much for starting this. This is necessary. Hope you'll find my suggestions useful. |
@mjingle any updates on this issue? Anything we can do to help you proceed? |
@mjingle any updates for this PR? |
3db862b
to
af5f0fa
Compare
All: I've rebased & resolved conflicts so that we can get a fresher view of this addition in the context of the updated website -- a lot has changed since this was submitted! :) |
…ions for OTel Collector Signed-off-by: Mary Jinglewski <[email protected]>
Signed-off-by: Mary Jinglewski <[email protected]>
Signed-off-by: Mary Jinglewski <[email protected]>
Signed-off-by: Mary Jinglewski <[email protected]>
Signed-off-by: Mary Jinglewski <[email protected]>
Co-authored-by: Patrice Chalin <[email protected]> Co-authored-by: Juraci Paixão Kröhling <[email protected]>
22ad4b3
to
cb4468a
Compare
…ions for OTel Collector Signed-off-by: Mary Jinglewski <[email protected]>
Signed-off-by: Mary Jinglewski <[email protected]>
Signed-off-by: Mary Jinglewski <[email protected]>
Signed-off-by: Mary Jinglewski <[email protected]>
Signed-off-by: Mary Jinglewski <[email protected]>
Signed-off-by: Mary Jinglewski <[email protected]>
Signed-off-by: Mary Jinglewski <[email protected]>
@mjingle LMK if you need to discuss the draft or need more direct support — my comments are not meant to be blockers. Would be happy to commit to your fork if you want. |
Closing old PR (and some unfortunate conflicts, too) |
OpenTelemetry (OTel) currently does not have public documentation on security recommendations. A markdown file in the OpenTelemetry Collector repository (linked below) does address some concerns, but is not easily findable by end users.
The goal of this PR is to establish hosting and configuration security recommendations for OTel Collector end users within the OpenTelemetry public documentation site. While the inspiration document contains both end-user and Component Developer security recommendations, this public documentation adapts the existing content focused on end users and links back to the inspiration document for Component Developers.
NOTE: The inspiration document also does not cover topics in detail and I need help filling in those blanks. Refer to any
<!-- TODO: -->
within the files that indicates knowledge gaps. From there, the page content can be re-organized, given the available information.This PR adds:
This proposed structure tries to be flexible for future Security content pages to be added. (Additional content doesn't have to focus on OTel Collector. Other Security-related areas in OTel can be addressed also, but that's not within the scope of this PR.)
Identified Areas of Potential Help
I already know this PR needs some extra help and this is my first time contributing a PR to this project. These include:
Source Materials
https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md
Associated Issues
Initial issue: #3479
Related issue: #3227
Preview: https://deploy-preview-3652--opentelemetry.netlify.app/docs/security/