Sign in Subscribe
Concepts

Masking Email Addresses in Kubernetes Ingress Logs

Andrios Robert

1 min read

The logs are leaking email addresses. You see them plain, raw, in the middle of your Kubernetes Ingress traffic records. Every request line, every debug dump, exposing sensitive user data without restraint. In production, this is a compliance breach waiting to blow up.

Kubernetes Ingress handles routing HTTP and HTTPS traffic to services inside the cluster. But unless you actively sanitize, your logs—whether in NGINX, Traefik, or HAProxy—can store full email addresses from query parameters, headers, or POST bodies. These can appear during troubleshooting, request tracing, or when verbose logging is enabled. The fix is not to remove logging entirely, but to mask what matters.

Masking email addresses in Kubernetes Ingress logs is straightforward when you intercept at the ingress controller level. For NGINX, that means customizing the log format and adding regex rules that replace detected emails with a placeholder. For example:

map $request $masked_request {
 "~[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}""***@***.***";
}
log_format masked '$masked_request';

This ensures the raw request line never shows the actual email, while preserving enough data for debugging. Implement similar middleware in Traefik with custom plugins, or in HAProxy using pattern-based redaction.

Do not rely on application code alone to strip emails. If the ingress is logging upstream data before it hits the app, masking must happen at the ingress tier. Combine this with Kubernetes annotations for access logs, limiting verbosity to only what is operationally necessary. Also consider piping ingress logs to a centralized logging system with built-in data redaction, so even downstream consumers never see unmasked PII.

Masking email addresses in logs is not just compliance—it is a trust requirement. Your users expect it. Your audit trail depends on it. If you run Kubernetes Ingress in production, build the habit of filtering sensitive fields before storage.

Want to see it live without rewriting configuration from scratch? Check out hoop.dev and spin up an ingress pipeline with email masking in minutes.