Uploaded image for project: 'Observability Documentation'
  1. Observability Documentation
  2. OBSDOCS-205

Kube API-server audit log filtering policy

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Major
    • None
    • Logging 5.8, OpenShift 4.12 Async
    • Logging
    • 8
    • True
    • Hide

      Awaiting implementation decisions and draft docs from engineering

      Show
      Awaiting implementation decisions and draft docs from engineering
    • Administer, Deploy
    • Feature
    • OBSDOCS (Aug 21-Sep 11) #241, OBSDOCS (Sep 11 - Oct 2) #242, OBSDOCS (Oct 2 - Oct 23) #243, OBSDOCS (Oct 23 - Nov 13) #244, OBSDOCS (Nov 13 - Dev 4) #245, OBSDOCS (Dec 4 - Dev 25) #246, OBSDOCS (Jan 1 - Jan 22) #247, OBSDOCS (Jan 22 - Feb 12) #248

    Description

      Goals

      Associate kube-API audit policies with audit log inputs in the ClusterLogForwarder.

      • allow multiple audit log streams with separate filtering.
      • specify filter in-line or as an external resource.
      • enable/disable node audit logs
      • compatible with HTTP inputs (LOG-3965)

      Motivation

      • unfiltered request-response audit events are too big to forward
      • unfiltered event stream has low signal-to-noise ratio

      Acceptance Criteria

      • Kube and Openshift API server events forwarded in accordance with an audit policy.
      • Separate policies can be applied on separate inputs/pipelines.

      Documentation Considerations

      The upstream documentation is at https://github.com/openshift/cluster-logging-operator/blob/master/docs/features/logforwarding/filters/api-audit-filter.adoc

      This links to audit policy details in the k8s documentation:

       

      Attachments

        Issue Links

          documents

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. LOG-3982 Kube API-server audit log filtering policy

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OBSDA-344 Audit log forwarding produces excessive data, configuration for prefiltering is needed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Outcome - Organizational objective focused on a measurable outcome. May be in support of larger strategic goals. OBSDA-339 Filter and control size of audit logs

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-568 Improve configuration of kube-apiserver audit logging

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. OBSDOCS-750 Missing documentation for Kube API Server audit log filtering policy in Log Forwarding

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          Web Link Enablement deck with more info for docs

          GitHub openshift/openshift-docs#70608: OBSDOCS-205 - CLF audit log filtering

          GitHub openshift/openshift-docs#71135: [enterprise-4.12] OBSDOCS-205 - CLF audit log filtering

          GitHub openshift/openshift-docs#71136: [enterprise-4.13] OBSDOCS-205 - CLF audit log filtering

          GitHub openshift/openshift-docs#71137: [enterprise-4.14] OBSDOCS-205 - CLF audit log filtering

          GitHub openshift/openshift-docs#71138: [enterprise-4.15] OBSDOCS-205 - CLF audit log filtering

          Web Link Upstream documentation

          Activity

            People

              landerso@redhat.com Libby Anderson
              rkratky@redhat.com Robert Krátký
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: