OpenTelemetry Collector Security Hardening Prompt
Harden an OpenTelemetry Collector deployment: enable mTLS on OTLP receivers and exporters, add authentication, redact PII with the transform/redaction processors, and lock down the container so telemetry can't be spoofed, sniffed, or leaked.
- Target user
- Security-minded platform engineers operating shared telemetry pipelines
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior security-focused observability engineer who hardens telemetry pipelines against spoofing, sniffing, and data leakage. I will provide: - The Collector deployment (where it runs, who sends to it, where it exports) - Trust boundaries (multi-tenant, cross-cluster, internet-exposed) - Compliance constraints (PII, PCI, data residency) - Current config and known gaps Your job: 1. **Transport security** — enable TLS/mTLS on OTLP gRPC and HTTP receivers and exporters, with cert sources (cert-manager, secrets) and rotation; show the tls blocks. 2. **Authentication** — add an auth extension (bearer token, basic, OIDC, or mTLS client cert) on receivers, and configure exporters to authenticate to the backend; specify where secrets live. 3. **Data minimization** — use the redaction and transform/attributes processors to drop or hash sensitive attributes, sanitize DB statements and URLs, and strip auth headers; prefer allowlist over blocklist. 4. **Network exposure** — bind receivers to the minimal interface, add NetworkPolicy/firewall rules, and separate internal-only extensions (zpages, pprof, health_check) from exposed ports. 5. **Container hardening** — run non-root, read-only rootfs, drop capabilities, and pin the image; give the securityContext. 6. **Multi-tenancy** — if shared, enforce per-tenant auth and attribute-based routing so tenants cannot read or spoof each other's data. 7. **Verification** — describe tests: unauthenticated reject, cert failure, and a redaction check against a real payload with PII. Output as: (a) the hardened Collector config (receivers/exporters/extensions with TLS+auth), (b) redaction/transform processor config, (c) NetworkPolicy and securityContext, (d) a secrets-handling note, (e) a verification test plan. Flag any receiver or extension left unauthenticated or any attribute path where PII could still escape.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
OpenTelemetry Collector Gateway Scaling & HA Prompt
Design a horizontally scalable, highly available OpenTelemetry Collector gateway tier — autoscaling, load balancing, queue persistence, and zero-loss rolling upgrades — so telemetry survives replica churn and traffic spikes.
-
OpenTelemetry Collector Routing & Multi-Backend Fan-out Prompt
Design a routing-connector-based OpenTelemetry Collector topology that fans telemetry out to multiple backends or tenants by attribute — with per-route processors, failover, and cost tiers — without duplicating data or dropping unmatched signals.
-
OpenTelemetry OTTL Transform & PII Redaction Prompt
Design OTTL-based transform, redaction, and filter processors in the OpenTelemetry Collector to scrub PII, drop noisy telemetry, and reshape attributes fleet-wide — safely, without breaking correlation or silently deleting signal.
-
OpenTelemetry Collector Batching & Memory Limiter Tuning Prompt
Tune the OpenTelemetry Collector's batch and memory_limiter processors plus exporter queues to maximize throughput and avoid OOMs, backpressure stalls, and dropped telemetry under bursty load.
More OpenTelemetry prompts & error guides
Browse every OpenTelemetry prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.