-
Bug
-
Resolution: Done
-
Major
-
openshift-4.16
-
None
-
None
-
3
-
False
-
-
False
-
OCPSTRAT-672 - Make audit log policy configurable for MicroShift
-
-
-
uShift Sprint 253, uShift Sprint 254
Description of problem:
While doing regression testing
for default size is 200Mbwhy it is 100Mb shown here sudo ls -ltrh /var/log/kube-apiserver/ total 358M -rw-------. 1 root root 100M May 13 11:51 audit-2024-05-13T15-51-42.132.log -rw-------. 1 root root 100M May 13 20:41 audit-2024-05-14T00-41-40.725.log -rw-------. 1 root root 100M May 14 04:30 audit-2024-05-14T08-30-29.480.log -rw-------. 1 root root 56M May 14 09:24 audit.log [redhat@dhcp-1-235-245 ~]$ sudo rm audit.log [7:00](https://redhat-internal.slack.com/archives/D03SQFGHYGK/p1715693429188309) https://github.com/openshift/openshift-docs/pull/75233/files#diff-5c2cca3b817bccbe26d6a02cd9774a86d959085eaa03f5757817d76fa5573743R21 [7:04](https://redhat-internal.slack.com/archives/D03SQFGHYGK/p1715693645817859) Added fake logs, it accepted 257Mb ls -ltrh /var/log/kube-apiserver/ total 559M -rw-------. 1 root root 100M May 13 11:51 audit-2024-05-13T15-51-42.132.log -rw-------. 1 root root 100M May 13 20:41 audit-2024-05-14T00-41-40.725.log -rw-------. 1 root root 100M May 14 04:30 audit-2024-05-14T08-30-29.480.log -rw-------. 1 root root 257M May 14 09:31 audit-2024-05-14T13-32-11.567.log -rw-------. 1 root root 1.1M May 14 09:33 audit.log
And
I see in doc for writeRequestBodies, we only log for(create, update, patch, delete, deletecollection)not for \"verb\":\"get|list|watch\"
In addition to logging metadata for all requests, logs request bodies for every write request to the API servers (create, update, patch, delete, deletecollection).
sudo grep -i my-test-writerequestbodies-profile-cm /var/log/kube-apiserver/audit.log | grep -i microshift-ocp72334-etgv85k3 | grep "" | grep -hE "\"verb\":\"get|list|watch\",\"user\":.*(requestObject|responseObject)" || true {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"8f856295-ef7b-4fde-8af9-910c17e3f01d","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/microshift-ocp72334-etgv85k3/configmaps/my-test-writerequestbodies-profile-cm","verb":"get","user":{"username":"system:admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["10.0.154.34"],"userAgent":"oc/4.15.0 (darwin/amd64) kubernetes/62c4d45","objectRef":{"resource":"configmaps","namespace":"microshift-ocp72334-etgv85k3","name":"my-test-writerequestbodies-profile-cm","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2024-05-15T11:15:41.011977Z","stageTimestamp":"2024-05-15T11:15:41.014662Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
Version-Release number of selected component (if applicable):
4.16.0~rc.1
How reproducible:
Always
Actual results:
Size is 100Mb for default audit logs and in WriteRequestBodies captures get|list|watch requests
Expected results:
Size should be 200Mb for default audit logs and in WriteRequestBodies should not captures get|list|watch requests
Additional info:
- is cloned by
-
USHIFT-3272 [release-4.16] Audit log policy WriteRequestBodies Regression testing failure
- Closed
- links to