-
Feature
-
Resolution: Unresolved
-
Major
-
None
-
None
-
BU Product Work
-
False
-
-
False
-
100% To Do, 0% In Progress, 0% Done
-
8
-
0
Feature Overview (aka. Goal Summary)
Implement a standardized approach for audit log forwarding in Hosted Control Planes (HCP) deployments, leveraging konnectivity proxy to ensure reliable and secure log transmission. This solution addresses audit log challenges observed for internal customers (e.g., RHIT's self-managed HyperShift) and ROSA HCP's environments, providing a consistent logging mechanism across different configurations.
Goals (aka. Expected User Outcomes)
- Enable seamless audit log forwarding in HCP deployments.
- Ensure log transmission is secure, reliable, and scalable.
- Provide a reusable solution for both self-managed HyperShift and ROSA HCP environments.
- Enhance visibility and compliance for customers running HyperShift clusters
Requirements (aka. Acceptance Criteria)
- Implement audit log forwarding via konnectivity proxy.
- Ensure compatibility with both self-managed HyperShift and ROSA HCP deployments.
- Provide a secure and efficient logging mechanism that aligns with OpenShift's architecture.
- Ensure logs are accessible for troubleshooting and compliance needs.
- Maintain performance without introducing excessive latency or overhead.
Deployment Considerations
| Deployment Configurations | Specific Needs |
|---|---|
| Self-managed, managed, or both | Both |
| Classic (standalone cluster) | N/A |
| Hosted control planes | Yes |
| Multi-node, Compact (three-node), Single-node (SNO), or all | HCP |
| Connected / Restricted Network | Must support restricted networks |
| Architectures (x86_x64, ARM, IBM Power, IBM Z) | x86_x64, ARM (aarch64), IBM Power (ppc64le), IBM Z (s390x) |
| Operator compatibility | Must integrate with HyperShift operator |
| Backport needed | To be determined (TBD) |
| UI need (e.g., OpenShift Console, dynamic plugin, OCM) | TBD |
| Other considerations | Ensure proper documentation for implementation |
Use Cases (Optional)
- A self-managed HyperShift user needs audit logs forwarded for security compliance.
- A ROSA HCP customer wants a standardized method for log retrieval and storage.
- Administrators need access to logs without direct access to control plane nodes.
Questions to Answer (Optional)
- Should log forwarding be configurable by users?
- Are there additional security considerations when using konnectivity proxy?
- What retention policies should be recommended for audit logs?
Out of Scope
- Implementing a new logging system outside of existing OpenShift log forwarding mechanisms.
- Providing per-customer customization outside standard configurations.
Background
RHIT's self-managed HyperShift deployment encountered the same audit log forwarding challenges as ROSA HCP. A previous solution using konnectivity proxy successfully addressed the issue in ROSA HCP, and this feature aims to validate and extend that approach to self-managed environments.
Customer Considerations
- Ensure log forwarding does not introduce performance bottlenecks.
- Provide clear documentation for setup and troubleshooting.
- Ensure security best practices in log transmission and storage.
Documentation Considerations
- Detailed guide on configuring audit log forwarding via konnectivity proxy.
- Reference existing OpenShift logging documentation where applicable.
- Provide troubleshooting steps for common issues.
Interoperability Considerations
- Verify integration with ROSA, OSD, and ARO deployments.
- Ensure compatibility with existing OpenShift logging infrastructure.
- Validate interoperability with external logging solutions if needed.
- links to
