-
Story
-
Resolution: Done
-
Major
-
None
-
Logging 5.8, OpenShift 4.12 Async
-
8
-
True
-
-
Administer, Deploy
-
Feature
-
-
OBSDOCS (Aug 21-Sep 11) #241, OBSDOCS (Sep 11 - Oct 2) #242, OBSDOCS (Oct 2 - Oct 23) #243, OBSDOCS (Oct 23 - Nov 13) #244, OBSDOCS (Nov 13 - Dev 4) #245, OBSDOCS (Dec 4 - Dev 25) #246, OBSDOCS (Jan 1 - Jan 22) #247, OBSDOCS (Jan 22 - Feb 12) #248
Goals
Associate kube-API audit policies with audit log inputs in the ClusterLogForwarder.
- allow multiple audit log streams with separate filtering.
- specify filter in-line or as an external resource.
- enable/disable node audit logs
- compatible with HTTP inputs (
LOG-3965)
Motivation
- unfiltered request-response audit events are too big to forward
- unfiltered event stream has low signal-to-noise ratio
Acceptance Criteria
- Kube and Openshift API server events forwarded in accordance with an audit policy.
- Separate policies can be applied on separate inputs/pipelines.
Documentation Considerations
The upstream documentation is at https://github.com/openshift/cluster-logging-operator/blob/master/docs/features/logforwarding/filters/api-audit-filter.adoc
This links to audit policy details in the k8s documentation:
- https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ - overview and example
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/#audit-k8s-io-v1-Policy - reference doc
- documents
-
LOG-3982 Kube API-server audit log filtering policy
- Closed
-
OBSDA-344 Audit log forwarding produces excessive data, configuration for prefiltering is needed
- Closed
- is related to
-
OBSDA-339 Filter and control size of audit logs
- Closed
-
OCPSTRAT-568 Improve configuration of kube-apiserver audit logging
- Closed
- relates to
-
OBSDOCS-750 Missing documentation for Kube API Server audit log filtering policy in Log Forwarding
- Closed
- links to