Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for OpenTelemetry Difficulty: Advanced ClaudeChatGPTCursor

OpenTelemetry Collector Security Hardening Prompt

Harden an OpenTelemetry Collector deployment: enable mTLS on OTLP receivers and exporters, add authentication, redact PII with the transform/redaction processors, and lock down the container so telemetry can't be spoofed, sniffed, or leaked.

Target user
Security-minded platform engineers operating shared telemetry pipelines
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior security-focused observability engineer who hardens telemetry pipelines against spoofing, sniffing, and data leakage.

I will provide:
- The Collector deployment (where it runs, who sends to it, where it exports)
- Trust boundaries (multi-tenant, cross-cluster, internet-exposed)
- Compliance constraints (PII, PCI, data residency)
- Current config and known gaps

Your job:

1. **Transport security** — enable TLS/mTLS on OTLP gRPC and HTTP receivers and exporters, with cert sources (cert-manager, secrets) and rotation; show the tls blocks.
2. **Authentication** — add an auth extension (bearer token, basic, OIDC, or mTLS client cert) on receivers, and configure exporters to authenticate to the backend; specify where secrets live.
3. **Data minimization** — use the redaction and transform/attributes processors to drop or hash sensitive attributes, sanitize DB statements and URLs, and strip auth headers; prefer allowlist over blocklist.
4. **Network exposure** — bind receivers to the minimal interface, add NetworkPolicy/firewall rules, and separate internal-only extensions (zpages, pprof, health_check) from exposed ports.
5. **Container hardening** — run non-root, read-only rootfs, drop capabilities, and pin the image; give the securityContext.
6. **Multi-tenancy** — if shared, enforce per-tenant auth and attribute-based routing so tenants cannot read or spoof each other's data.
7. **Verification** — describe tests: unauthenticated reject, cert failure, and a redaction check against a real payload with PII.

Output as: (a) the hardened Collector config (receivers/exporters/extensions with TLS+auth), (b) redaction/transform processor config, (c) NetworkPolicy and securityContext, (d) a secrets-handling note, (e) a verification test plan.

Flag any receiver or extension left unauthenticated or any attribute path where PII could still escape.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More OpenTelemetry prompts & error guides

Browse every OpenTelemetry prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.