Configure Privacy Policies
This guide walks through creating a SessionPrivacyPolicy, attaching it to a workspace service group, overriding it for a specific agent, and verifying the configuration is active.
SessionPrivacyPolicy is an Enterprise feature. You need an active Enterprise license to use it.
Prerequisites
Section titled “Prerequisites”- Omnia operator v0.x or later with Enterprise enabled
- A Workspace with at least one service group
kubectlaccess to the cluster
Step 1: Create a policy in your workspace namespace
Section titled “Step 1: Create a policy in your workspace namespace”A SessionPrivacyPolicy must live in the same namespace that the workspace manages. Find the namespace by checking Workspace.spec.namespace.name.
kubectl apply -f - <<'EOF'apiVersion: omnia.altairalabs.ai/v1alpha1kind: SessionPrivacyPolicymetadata: name: default-privacy namespace: my-workspace-nsspec: recording: enabled: true facadeData: true richData: true pii: redact: true patterns: - email - ssn - credit_card strategy: replace userOptOut: enabled: true honorDeleteRequests: true deleteWithinDays: 30 auditLog: enabled: true retentionDays: 365EOFConfirm the policy is active:
kubectl get sessionprivacypolicy default-privacy -n my-workspace-nsThe PHASE column should show Active.
Step 2: Attach the policy to a service group
Section titled “Step 2: Attach the policy to a service group”Edit your Workspace to add privacyPolicyRef to the service group. Most workspaces have a single service group named default.
kubectl apply -f - <<'EOF'apiVersion: omnia.altairalabs.ai/v1alpha1kind: Workspacemetadata: name: my-workspacespec: displayName: My Workspace namespace: name: my-workspace-ns services: - name: default privacyPolicyRef: name: default-privacyEOFThe operator reconciles the Workspace and sets a PrivacyPolicyResolved condition.
Verify:
kubectl get workspace my-workspace \ -o jsonpath='{.status.conditions[?(@.type=="PrivacyPolicyResolved")]}'Expected output (formatted for readability):
{ "type": "PrivacyPolicyResolved", "status": "True", "reason": "PolicyResolved", "message": "..."}Step 3: Override the policy on a specific AgentRuntime (optional)
Section titled “Step 3: Override the policy on a specific AgentRuntime (optional)”If one agent needs different privacy rules from the rest of the service group, set spec.privacyPolicyRef on that AgentRuntime. Create the stricter policy first:
kubectl apply -f - <<'EOF'apiVersion: omnia.altairalabs.ai/v1alpha1kind: SessionPrivacyPolicymetadata: name: strict-privacy namespace: my-workspace-nsspec: recording: enabled: true facadeData: true richData: false userOptOut: enabled: true honorDeleteRequests: true deleteWithinDays: 7 auditLog: enabled: true retentionDays: 365EOFThen patch the agent:
kubectl apply -f - <<'EOF'apiVersion: omnia.altairalabs.ai/v1alpha1kind: AgentRuntimemetadata: name: sensitive-agent namespace: my-workspace-nsspec: privacyPolicyRef: name: strict-privacyEOFVerify the condition on the AgentRuntime:
kubectl get agentruntime sensitive-agent -n my-workspace-ns \ -o jsonpath='{.status.conditions[?(@.type=="PrivacyPolicyResolved")]}'Step 4: Create a global default (optional)
Section titled “Step 4: Create a global default (optional)”A policy named default in the omnia-system namespace applies to any agent that has no service group policy and no agent override. This is useful as a baseline for all workspaces.
kubectl apply -f - <<'EOF'apiVersion: omnia.altairalabs.ai/v1alpha1kind: SessionPrivacyPolicymetadata: name: default namespace: omnia-systemspec: recording: enabled: true facadeData: true richData: false auditLog: enabled: true retentionDays: 90EOFTroubleshooting
Section titled “Troubleshooting”PrivacyPolicyResolved is False with reason PolicyNotFound
Section titled “PrivacyPolicyResolved is False with reason PolicyNotFound”The policy referenced by privacyPolicyRef.name does not exist in the expected namespace. Check:
- The policy name is spelled correctly.
- The policy exists in the workspace’s namespace (not in
omnia-systemor another namespace):Terminal window kubectl get sessionprivacypolicy -n my-workspace-ns - The policy was applied successfully (no admission webhook rejections).
Seeing which policy applies to a live session
Section titled “Seeing which policy applies to a live session”The session-api exposes the effective policy for any namespace/agent combination:
kubectl exec -n omnia-system deploy/session-api -- \ curl -s "http://localhost:8080/api/v1/privacy-policy?namespace=my-workspace-ns&agent=my-agent"A 200 response contains the effective recording config. A 204 means no policy applies and recording runs with defaults.
Agent is not using the override
Section titled “Agent is not using the override”The PolicyWatcher in the session-api polls the Kubernetes API every 30 seconds. After applying a change to an AgentRuntime or policy, wait up to 30 seconds for the new policy to take effect on new sessions. In-flight sessions use the policy that was cached when they started.
Rotating encryption keys
Section titled “Rotating encryption keys”When spec.encryption is configured, key rotation works as follows:
- Update
encryption.keyIDin the policy to point to the new key in your KMS. - Optionally set
encryption.keyRotation.reEncryptExisting: trueto re-encrypt stored data. - The
PolicyWatcherfires an invalidation callback on the next poll (within 30 seconds). New session writes immediately use the new key. - Existing ciphertext written with the old key remains readable as long as the old key is still accessible in the KMS. Do not revoke or delete the old key until all existing data has been re-encrypted or its retention period has expired.
If keyRotation.reEncryptExisting is enabled, track progress via:
kubectl get sessionprivacypolicy my-policy -n my-workspace-ns \ -o jsonpath='{.status.keyRotation}'The reEncryptionProgress.status field transitions through Pending → InProgress → Completed.
Reference
Section titled “Reference”See SessionPrivacyPolicy CRD for the full field reference, encryption coverage per object type, and example YAML.