Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-340

Provide the ability to output APIServer audit logs based on resource-type

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Duplicate
    • Icon: Minor Minor
    • None
    • None
    • None
    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 0% To Do, 0% In Progress, 100% Done
    • 0

      Feature Overview  

      Provide the ability to output APIServer audit logs based on resource-type.
      The required information is just metadata for the requests and match the existing pre-set policies. Just not on the right objects.
       

      Goals (aka. expected user outcomes)

      Currently the `policy.yaml` KubeAPIServer configuration allows this, however this is controlled by the APIServer Operator in OpenShift and is not configurable.

      There exists a number of pre-set configurations that can be used alongside a group fields, but there does not appear to be a way to apply the pre-set config against a set of resources.

      For example, collecting all requests for Secrets or Tokens without filtering on user-group which is required for auditing who is accessing Tokens and Secrets in OpenShift.
       

      Requirements

      • Provide a way for a cluster admin to collect or aggregate audit logs based on specific resource types

       

      Use Cases

      Auditing who is accessing Tokens and Secrets in OpenShift.
      https://issues.redhat.com/browse/RFE-3622

       

              wcabanba@redhat.com William Caban
              wcabanba@redhat.com William Caban
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: