Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-568

Improve configuration of kube-apiserver audit logging

    XMLWordPrintable

Details

    • False
    • Hide

      None

      Show
      None
    • False
    • 100
    • 100% 100%
    • 0
    • 0
    • Program Call

    Description

      NOTE: Updated description

      Goal

      Provide more granular control over filtering of kube-apiserver audit logs.

      Openshift currently provides Configuring the audit log policy which filters by group.

      Users need to be able to filter by at least:

      • resources
      • users
      • namespaces
      • verbs (e.g.; get, update, patch, delete) – Note: events that cause changes are more important for audit.

      The kube-apiserver provides a rich configuration file Auditing Kubernetes which is not accessible in a supported way in OCP.

      (see first comment in this Jira for example of a configuration of what need to be achieved)
       

      Why is this important?

      Forwarding audit logs off-cluster is a common requirement for openshift logging.
      In large production environments, the volume of audit logs under the default configuration is excessively large and consists mostly of low- or 0-value data.
       
      Cluster admin wants to store important audit logs off-cluster, and needs to filter out unimportant logs to reduce data volume to affordable levels, in terms of network bandwidth and storage costs.

      Acceptance Criteria

      • Set a custom audit logging configuration, run a cluster with some test workload, verify that audit logs obey the configuration.
      • CI Testing -  Basic e2e automationTests are merged and completing successfully

      Existing load references

      • On an SNO cluster with nothing but openshift-logging installed, it is possible to see log volumes in excess of 50 lines/sec, or 100kb/sec. Customers have reported log volumes over 100 lines/sec.
      • A regular 27 nodes multi-node cluster (see attached cases) sees logs amounts in range of 40-50GB/day

      Attachments

        Issue Links

          incorporates

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-340 Provide the ability to output APIServer audit logs based on resource-type

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          is related to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. LOG-3982 Kube API-server audit log filtering policy

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. OBSDOCS-89 Address Audit Log Volume

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Backlog

          Outcome - Organizational objective focused on a measurable outcome. May be in support of larger strategic goals. OBSDA-342 To apply custom filter before forwarding audit logs externally

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OBSDA-344 Audit log forwarding produces excessive data, configuration for prefiltering is needed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Feature Request - Feature requests from customers and/or users RFE-3784 Issue audit log only once per secret consultation when user stays on openshift console for long.

          • Undefined - Priority not specified.
          • Rejected

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. OBSDOCS-205 Kube API-server audit log filtering policy

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Outcome - Organizational objective focused on a measurable outcome. May be in support of larger strategic goals. OBSDA-339 Filter and control size of audit logs

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-340 Provide the ability to output APIServer audit logs based on resource-type

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Activity

            People

              wcabanba@redhat.com William Caban
              rhn-engineering-aconway Alan Conway
              Votes:
              15 Vote for this issue
              Watchers:
              25 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: