Considerations

Before enabling pii masking, please note the following:
  • This action masks span attribute values by replacing only the sensitive portions with ****, while leaving the rest of the value intact.
  • The regex used for masking are predefined for each PII category and cannot be configured.
  • Currently, only trace signals are supported.
  • All span attribute values in every span will be examined and masked accordingly.

Use Cases

Security
  • By default, OpenTelemetry should not record PII (Personally Identifiable Information) or sensitive data such as passwords, api tokens, etc. However, if the data is accidentally added to the telemetry signals, or if a manual instrumentation recorded it into an attribute, this action can be used to mask such data.
Legal and Compliance
  • Ensure compliance with legal and privacy.
    • Payment Card Industry (PCI) Data Security Standards prohibit logging certain things or storing them unencrypted.

Configuration Options

The PiiMasking action is configured using the odigos.io/v1alpha1.Action CRD with the piiMasking configuration section.

Basic Example

The following example demonstrates how to configure the Pii Masking action to mask Visa and MasterCard credit card numbers from span attribute values using the new Action CRD.
1

Create a YAML file with the following content:
pii-masking.yaml
apiVersion: odigos.io/v1alpha1
kind: Action
metadata:
  name: pii-masking
  namespace: odigos-system
spec:
  actionName: PII Masking
  signals:
    - TRACES
  piiMasking:
    piiCategories:
      - CREDIT_CARD
2

Apply the action to the cluster:
kubectl apply -f pii-masking.yaml