Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3982

Kube API-server audit log filtering policy


    • api-audit-policy
    • False
    • None
    • False
    • Green
    • NEW
    • Administer, Deploy
    • To Do
    • OBSDA-344 - Audit log forwarding produces excessive data, configuration for prefiltering is needed
    • OBSDA-344Audit log forwarding produces excessive data, configuration for prefiltering is needed
    • 0% To Do, 14% In Progress, 86% Done
    • Feature
    • Log Collection - Sprint 236


      Associate kube-API audit policies with audit log inputs in the ClusterLogForwarder.

      • allow multiple audit log streams with separate filtering.
      • specify filter in-line or as an external resource.
      • enable/disable node audit logs
      • compatible with HTTP inputs (LOG-3965)


      • no filtering for node audit logs other than enable/disable (may be added in future)


      • unfiltered request-response audit events are too big to forward
      • unfiltered event stream has low signal-to-noise ratio


      No filtering: does not solve the problem.

      Pre-filtering by API server policy: can't support audit streams with separate policies.

      Post-filtering: too late - must forward excessive data to post-filter processs

      Acceptance Criteria

      • Kube and Openshift API server events forwarded in accordance with an audit policy.
        • Unit tests for detailed filtering.
        • Simple E2E test to ensure filtering works.
      • Separate policies can be applied on separate inputs/pipelines.
      • Test with kube-apiserver webhook when both this and LOG-3965 are complete.

      Risk and Assumptions

      Requires code from:  https://gitlab.cee.redhat.com/gsleeman/splunk-audit-exporter

      • expected to move to github as open upstream
      • can be forked or used in-house temporarily for development
        • but we should end up on common, open upstream

      Documentation Considerations

      Policy configuration already exists and is documented at:

      ClusterLogForwarder extensions will need to be documented, but can refer to k8s docs for policy details.

      Open Questions

      Additional Notes

      CPSYN-206 reports incorrect capitalization and field re-ordering of audit event in ROSA-HCP (note this was not present on ROSA classic).

      It is possible this is happening in the audit-exporter code that we want to re-use so be careful:

      • MUST fix the capitalization, should be easy.
        Probably there is an import of the default yaml package, instead of the k8s yaml package that respects JSON serialization tags.
      • SHOULD preserve original ordering of fields.
        This might be tricky if maps are being used as intermediaries in the exporter's filtering code.
        If preserving order is difficult, it is probably better to ignore it for the first release, and follow up later.
        Filtering should prevent over-large events that get truncated, which is the main concern with re-ordering.
        The issue is that the critical "verb" field goes to the end. (Why, oh why, didn't they call it "action"?)

            rhn-engineering-aconway Alan Conway
            rhn-engineering-aconway Alan Conway
            Qiaoling Tang Qiaoling Tang
            6 Vote for this issue
            16 Start watching this issue