-
Feature Request
-
Resolution: Done
-
Normal
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
-
-
-
-
1. Proposed title of this feature request
Provide the ability to output APIServer audit logs based on resource-type.
The required information is just metadata for the requests and match the existing pre-set policies. Just not on the right objects.
2. What is the nature and description of the request?
Currently the `policy.yaml` KubeAPIServer configuration allows this, however this is controlled by the APIServer Operator in OpenShift and is not configurable.
There exists a number of pre-set configurations that can be used alongside a group fields, but there does not appear to be a way to apply the pre-set config against a set of resources.
For example, collecting all requests for Secrets or Tokens without filtering on user-group.
3. Why does the customer need this? (List the business requirements here)
security requirements for auditing who is accessing Tokens and Secrets in OpenShift
4. List any affected packages or components.
OpenShift Kube APIServer, OpenShift KubeAPIServer Operator
There are additional RFEs that have been filed and rejected. This request differs from these requests as this is just requesting the ability to look for specific resources:
[0] Add ability to customize audit config
https://issues.redhat.com/browse/RFE-520
[1] Add ability to customize audit config
https://issues.redhat.com/browse/API-990
[2] Implement "UserRequests" audit policy
https://issues.redhat.com/browse/RFE-1448
- relates to
-
OBSDA-339 Filter and control size of audit logs
- Closed