-
Feature
-
Resolution: Duplicate
-
Minor
-
None
-
None
-
None
-
BU Product Work
-
False
-
-
False
-
0% To Do, 0% In Progress, 100% Done
-
0
Feature Overview
Provide the ability to output APIServer audit logs based on resource-type.
The required information is just metadata for the requests and match the existing pre-set policies. Just not on the right objects.
Goals (aka. expected user outcomes)
Currently the `policy.yaml` KubeAPIServer configuration allows this, however this is controlled by the APIServer Operator in OpenShift and is not configurable.
There exists a number of pre-set configurations that can be used alongside a group fields, but there does not appear to be a way to apply the pre-set config against a set of resources.
For example, collecting all requests for Secrets or Tokens without filtering on user-group which is required for auditing who is accessing Tokens and Secrets in OpenShift.
Requirements
- Provide a way for a cluster admin to collect or aggregate audit logs based on specific resource types
Use Cases
Auditing who is accessing Tokens and Secrets in OpenShift.
https://issues.redhat.com/browse/RFE-3622
- is incorporated by
-
OCPSTRAT-568 Improve configuration of kube-apiserver audit logging
- Closed
- is related to
-
OBSDA-344 Audit log forwarding produces excessive data, configuration for prefiltering is needed
- Closed
-
OCPSTRAT-568 Improve configuration of kube-apiserver audit logging
- Closed