Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-340

Provide the ability to output APIServer audit logs based on resource-type

    XMLWordPrintable

Details

    • Feature
    • Resolution: Duplicate
    • Minor
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-16OpenShift - Kubernetes and Core Platform
    • 100
    • 100% 100%
    • 0
    • 0

    Description

      Feature Overview  

      Provide the ability to output APIServer audit logs based on resource-type.
      The required information is just metadata for the requests and match the existing pre-set policies. Just not on the right objects.
       

      Goals (aka. expected user outcomes)

      Currently the `policy.yaml` KubeAPIServer configuration allows this, however this is controlled by the APIServer Operator in OpenShift and is not configurable.

      There exists a number of pre-set configurations that can be used alongside a group fields, but there does not appear to be a way to apply the pre-set config against a set of resources.

      For example, collecting all requests for Secrets or Tokens without filtering on user-group which is required for auditing who is accessing Tokens and Secrets in OpenShift.
       

      Requirements

      • Provide a way for a cluster admin to collect or aggregate audit logs based on specific resource types

       

      Use Cases

      Auditing who is accessing Tokens and Secrets in OpenShift.
      https://issues.redhat.com/browse/RFE-3622

       

      Attachments

        Issue Links

          is incorporated by

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-568 Improve configuration of kube-apiserver audit logging

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OBSDA-344 Audit log forwarding produces excessive data, configuration for prefiltering is needed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-568 Improve configuration of kube-apiserver audit logging

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              wcabanba@redhat.com William Caban
              wcabanba@redhat.com William Caban
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: