NOTE: Updated description

Goal

Provide more granular control over filtering of kube-apiserver audit logs.

Openshift currently provides Configuring the audit log policy which filters by group.

Users need to be able to filter by at least:

• resources
• users
• namespaces
• verbs (e.g.; get, update, patch, delete) – Note: events that cause changes are more important for audit.

The kube-apiserver provides a rich configuration file Auditing Kubernetes which is not accessible in a supported way in OCP.

(see first comment in this Jira for example of a configuration of what need to be achieved)
 

Why is this important?

Forwarding audit logs off-cluster is a common requirement for openshift logging.
In large production environments, the volume of audit logs under the default configuration is excessively large and consists mostly of low- or 0-value data.
 
Cluster admin wants to store important audit logs off-cluster, and needs to filter out unimportant logs to reduce data volume to affordable levels, in terms of network bandwidth and storage costs.

Acceptance Criteria

• Set a custom audit logging configuration, run a cluster with some test workload, verify that audit logs obey the configuration.
• CI Testing -  Basic e2e automationTests are merged and completing successfully

Existing load references

• On an SNO cluster with nothing but openshift-logging installed, it is possible to see log volumes in excess of 50 lines/sec, or 100kb/sec. Customers have reported log volumes over 100 lines/sec.
• A regular 27 nodes multi-node cluster (see attached cases) sees logs amounts in range of 40-50GB/day