-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
4.14.z
-
None
-
None
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Configuring the API Server audit log policy with custom rules
Version-Release number of selected component (if applicable):
OCP 4.14
How reproducible:
If you set the Top Level Domain to 'None', as per our documentation it should not work, but in one case it did
Steps to Reproduce:
1. This is the apicluster config:
audit:
customRules:
- group: system:authenticated:oauth
profile: Default
profile: None
2. This is an example audit log when it logged allowed events :
'''
oc adm node-logs ip-10-92-32-155.eu-central-1.compute.internal --path oauth-apiserver/audit.log | tail -n3
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"cecfb241-32f4-4447-b928-b9b23fdde750","stage":"ResponseComplete","requestURI":"/apis/user.openshift.io/v1/users/~","verb":"get","user":{"username":"USER1","groups":["openshift_group","system:authenticated:oauth","system:authenticated"],"extra":{"scopes.authorization.openshift.io":["user:full"]}},"sourceIPs":["10.92.32.182","100.65.12.1"],"objectRef":{"resource":"users","name":"~","apiGroup":"user.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2025-08-26T07:23:19.023970Z","stageTimestamp":"2025-08-26T07:23:19.026892Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"cluster-admin\" of ClusterRole \"cluster-admin\" to Group \"openshift_group\""}} 3.
Actual results:
In one support case, this configuration allowed audit logging for the custom rules matched, but in the other case, it did not. The engineer tested the configuration on OCP 4.14 and 4.18 clusters, confirming that the custom rule works as expected after a rollout (approximately 30 minutes), in such that was applied even with Top Level Profile set to 'None'
Expected results:
We would need to understand: 1. Why this inconsistent behavior is occurring. 2. How to correctly configure the API Server to log audit events with custom rules when the top-level profile is set to None, stating that this was established as the correct and expected behaviour during the first support case in regard to the need to revise our documentation.
Additional info:
Our GPS consultants are involved and have already opened two support cases regarding this matter. The core topic is configuring the API Server audit log policy with custom rules.
Following an investigation across these two distinct cases, it has become apparent that applying the following APIServerconfiguration leads to two different behaviors:
spec:
audit:
customRules:
- group: system:authenticated:oauth
profile: Default
profile: None
In one support case, this configuration allowed audit logging for the custom rules matched, but in the other case, it did not.
Our support engineers determined that an issue existed in our documentation regarding this setup and consequently opened bug OSDOCS-16161, which has since been addressed.
To give more context, following are the support cases mentioned:
04237829
04272815
