Goals

Associate kube-API audit policies with audit log inputs in the ClusterLogForwarder.

• allow multiple audit log streams with separate filtering.
• specify filter in-line or as an external resource.
• enable/disable node audit logs
• compatible with HTTP inputs (LOG-3965)

Non-Goals

• no filtering for node audit logs other than enable/disable (may be added in future)

Motivation

• unfiltered request-response audit events are too big to forward
• unfiltered event stream has low signal-to-noise ratio

Alternatives

No filtering: does not solve the problem.

Pre-filtering by API server policy: can't support audit streams with separate policies.

Post-filtering: too late - must forward excessive data to post-filter processs

Acceptance Criteria

• Kube and Openshift API server events forwarded in accordance with an audit policy.
  • Unit tests for detailed filtering.
  • Simple E2E test to ensure filtering works.
• Separate policies can be applied on separate inputs/pipelines.
• Test with kube-apiserver webhook when both this and LOG-3965 are complete.

Risk and Assumptions

Requires code from:  https://gitlab.cee.redhat.com/gsleeman/splunk-audit-exporter

• expected to move to github as open upstream
• can be forked or used in-house temporarily for development
  • but we should end up on common, open upstream

Documentation Considerations

Policy configuration already exists and is documented at:

• https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ - overview and example
• https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/#audit-k8s-io-v1-Policy - reference doc

ClusterLogForwarder extensions will need to be documented, but can refer to k8s docs for policy details.

Open Questions

Additional Notes

CPSYN-206 reports incorrect capitalization and field re-ordering of audit event in ROSA-HCP (note this was not present on ROSA classic).

It is possible this is happening in the audit-exporter code that we want to re-use so be careful:

• MUST fix the capitalization, should be easy.
  Probably there is an import of the default yaml package, instead of the k8s yaml package that respects JSON serialization tags.
• SHOULD preserve original ordering of fields.
  This might be tricky if maps are being used as intermediaries in the exporter's filtering code.
  If preserving order is difficult, it is probably better to ignore it for the first release, and follow up later.
  Filtering should prevent over-large events that get truncated, which is the main concern with re-ordering.
  The issue is that the critical "verb" field goes to the end. (Why, oh why, didn't they call it "action"?)