Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3622

Scrape APIServer Audit Logs based on resource-type

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • API
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request
      Provide the ability to output APIServer audit logs based on resource-type.
      The required information is just metadata for the requests and match the existing pre-set policies. Just not on the right objects.

      2. What is the nature and description of the request?
      Currently the `policy.yaml` KubeAPIServer configuration allows this, however this is controlled by the APIServer Operator in OpenShift and is not configurable.
      There exists a number of pre-set configurations that can be used alongside a group fields, but there does not appear to be a way to apply the pre-set config against a set of resources.

      For example, collecting all requests for Secrets or Tokens without filtering on user-group.

      3. Why does the customer need this? (List the business requirements here)
      security requirements for auditing who is accessing Tokens and Secrets in OpenShift

      4. List any affected packages or components.
      OpenShift Kube APIServer, OpenShift KubeAPIServer Operator

      There are additional RFEs that have been filed and rejected. This request differs from these requests as this is just requesting the ability to look for specific resources:
      [0] Add ability to customize audit config
      https://issues.redhat.com/browse/RFE-520
      [1] Add ability to customize audit config
      https://issues.redhat.com/browse/API-990
      [2] Implement "UserRequests" audit policy
      https://issues.redhat.com/browse/RFE-1448

              wcabanba@redhat.com William Caban
              rhn-support-mwasher Michael Washer (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: