Kubernetes Operator that auto-injects a distroless sidecar to redact PII and secrets from pod logs using Shannon entropy analysis and deterministic regex.
Key Takeaways
Two deployment modes: a zero-code K8s Operator with mutating webhook sidecar injection, and an in-process WASM module for sub-1ms latency without network hops.
Entropy-based detection flags high-entropy strings (threshold 3.6 Shannon bits) even without known key names; custom regex rules override for deterministic 100% compliance on known patterns.
Redaction is deterministic via HMAC hashing, replacing secrets with [HIDDEN:a1b2c] tokens so QA can correlate errors without raw data exposure.
v2.0.0 drops Kustomize and shell access inside the sidecar, moving fully to Helm and distroless native sidecars (requires K8s 1.28+).
Claimed throughput: >100k lines/s for text logs, ~7MB/s for JSON with zero-allocation manual parsing and O(1) regex matching.
