argoproj
Email in Argo Server audit Log and GDPR
Summary
Currently argo server gatekeeper will log the email in an audit log. This is not great because email is personally identifiable information in Europe and is subject to GDPR.
I suggest being able to choose what is logged/what is not logged through the argo server configmap. For example custom claims, groups etc.
Use Cases
- In countries with GDPR or other personal information legislation explicitly disabling email logging
- More granular auditing. For example logging which OIDC group the user belongs to.
Message from the maintainers:
Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.
I’m not a lawyer.
The email is logged for audit purposes. The email is not a customer’s email, it would be that of Argo operator’s employee.
It would be helpful to see a lawyer’s opinion on that.
I had to research this at work and while I am also not a lawyer the conclusion I've come to is that it's still personal data for employees (source) and having it in log files is not great practice. The proper way is already implemented: The logs also record the ID of the user which makes it a lot more secure than plaintext email.
I currently have a workaround in my environment (OIDC scope doesn't include email so it's blank in the logs), but I think this is a very subtle gotcha that could get other Argo Workflows users (in European Union) in trouble.
