-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtsb-sentinel-telemetry.yaml
More file actions
54 lines (52 loc) · 1.83 KB
/
tsb-sentinel-telemetry.yaml
File metadata and controls
54 lines (52 loc) · 1.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
apiVersion: telemetry.tsb.tetrate.io/v2
kind: TelemetrySetting
metadata:
name: sentinel-log-export
tenant: devsecops
workspace: security-ops
spec:
# Export Envoy access logs to Sentinel AI
accessLogging:
- providers:
- name: envoy-sentinel-file-log
file:
path: /dev/stdout
format: |
{
"timestamp": "%START_TIME%",
"source_workload": "%SOURCE_WORKLOAD%",
"source_namespace": "%SOURCE_NAMESPACE%",
"destination_workload": "%DESTINATION_WORKLOAD%",
"destination_namespace": "%DESTINATION_NAMESPACE%",
"response_code": "%RESPONSE_CODE%",
"request_path": "%REQ(:PATH)%",
"request_method": "%REQ(:METHOD)%",
"request_size": "%BYTES_RECEIVED%",
"response_size": "%BYTES_SENT%",
"duration": "%DURATION%",
"mtls": "%DOWNSTREAM_PEER_URI_SAN%",
"user_agent": "%REQ(USER-AGENT)%",
"jwt_claims": "%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:payload)%"
}
match:
- mode: CLIENT_AND_SERVER
# Send to Sentinel via WASM extension or external service
filter:
providers:
- name: sentinel-webhook
wasm:
service: sentinel-ai.sentinel-ns.svc.cluster.local
port: 3000
path: /api/tetrate/ingest
timeout: 5s
fail_open: false # Block traffic if Sentinel is down (fail secure)
# Metrics export for anomaly detection
metrics:
- providers:
- name: sentinel-prometheus
prometheus:
port: 9090
tags:
- name: threat_detected
valueFrom:
literal: "false" # Sentinel updates this via API