Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3982

Kube API-server audit log filtering policy

    XMLWordPrintable

Details

    • api-audit-policy
    • False
    • None
    • False
    • Green
    • NEW
    • Administer, Deploy
    • To Do
    • OBSDA-344 - Audit log forwarding produces excessive data, configuration for prefiltering is needed
    • OBSDA-344Audit log forwarding produces excessive data, configuration for prefiltering is needed
    • VERIFIED
    • 86
    • 86% 86%
    • Feature
    • Log Collection - Sprint 236

    Description

      Goals

      Associate kube-API audit policies with audit log inputs in the ClusterLogForwarder.

      • allow multiple audit log streams with separate filtering.
      • specify filter in-line or as an external resource.
      • enable/disable node audit logs
      • compatible with HTTP inputs (LOG-3965)

      Non-Goals

      • no filtering for node audit logs other than enable/disable (may be added in future)

      Motivation

      • unfiltered request-response audit events are too big to forward
      • unfiltered event stream has low signal-to-noise ratio

      Alternatives

      No filtering: does not solve the problem.

      Pre-filtering by API server policy: can't support audit streams with separate policies.

      Post-filtering: too late - must forward excessive data to post-filter processs

      Acceptance Criteria

      • Kube and Openshift API server events forwarded in accordance with an audit policy.
        • Unit tests for detailed filtering.
        • Simple E2E test to ensure filtering works.
      • Separate policies can be applied on separate inputs/pipelines.
      • Test with kube-apiserver webhook when both this and LOG-3965 are complete.

      Risk and Assumptions

      Requires code from:  https://gitlab.cee.redhat.com/gsleeman/splunk-audit-exporter

      • expected to move to github as open upstream
      • can be forked or used in-house temporarily for development
        • but we should end up on common, open upstream

      Documentation Considerations

      Policy configuration already exists and is documented at:

      ClusterLogForwarder extensions will need to be documented, but can refer to k8s docs for policy details.

      Open Questions

      Additional Notes

      CPSYN-206 reports incorrect capitalization and field re-ordering of audit event in ROSA-HCP (note this was not present on ROSA classic).

      It is possible this is happening in the audit-exporter code that we want to re-use so be careful:

      • MUST fix the capitalization, should be easy.
        Probably there is an import of the default yaml package, instead of the k8s yaml package that respects JSON serialization tags.
      • SHOULD preserve original ordering of fields.
        This might be tricky if maps are being used as intermediaries in the exporter's filtering code.
        If preserving order is difficult, it is probably better to ignore it for the first release, and follow up later.
        Filtering should prevent over-large events that get truncated, which is the main concern with re-ordering.
        The issue is that the critical "verb" field goes to the end. (Why, oh why, didn't they call it "action"?)

      Attachments

        Issue Links

          blocks

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OBSDA-344 Audit log forwarding produces excessive data, configuration for prefiltering is needed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is documented by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. OBSDOCS-205 Kube API-server audit log filtering policy

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-568 Improve configuration of kube-apiserver audit logging

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          Web Link Enhancemenet proposal: API-server audit log filtering policy in ClusterLogForwarder

          GitHub openshift/cluster-logging-operator#1959: LOG-3982: ClusterLogForwarder API audit policy

          GitHub openshift/enhancements#1474: Updated to match final implementation.

          GitHub openshift/openshift-docs#66871: [WIP] [DOCS] Logging 5.8.0 Release Notes

          mentioned on

          GitLab Merge request - Updated US source to: 7b60768 Merge pull request #1959 from alanconway/api-audit-filter

          Activity

            People

              rhn-engineering-aconway Alan Conway
              rhn-engineering-aconway Alan Conway
              Qiaoling Tang Qiaoling Tang
              Votes:
              6 Vote for this issue
              Watchers:
              16 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: