-
Notifications
You must be signed in to change notification settings - Fork 39.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Advanced Auditing Beta Changes #48561
Comments
@timstclair There are no sig labels on this issue. Please add a sig label by: |
/sig api-machinery |
/cc @crassirostris |
I am very glad to implement the first one if no one has started it.
|
Note that the first one is a breaking change, since it would mean we populate the |
Please note that SIG API doesn't own the contents of apis and we don't need to own issues like this one. |
I think the GKE audit policy really demonstrated how many edge cases there are when composing an audit policy. Don't capture the request body of TokenSubjectReview, ignore kube-proxy watching endpoints, etc. It'd be great to formalize that knowledge somehow. Either by creating a default audit policy in the API server (like default RBAC roles), or by having a real example audit policy in documentation. |
Thanks for pointing it out! |
I think we should consider adding user agent to the audit user info. I know it can be spoofed trivially, but we've had a couple people ask for it. |
Hi, can we implement a feature that support reading audits by kubectl or dashborad? |
Updates kubernetes#48561 This provide a way to omit some stages for each audit policy rule. For example: - level: Metadata resources: - group: "rbac.authorization.k8s.io" resources: ["roles"] omitStages: - "RequestReceived" RequestReceived stage will not be emitted to audit backends with previous config.
I think audit logs should be exposed similarly to other master/apiserver logs. I'm hesitant to build a custom audit log solution. |
Making them available via kube-apiserver doesn't sound right. Nothing stops you though from creating a custom read-only audit-event-apiserver which preferably is backed by an independent storage (maybe not even etcd) and hook that into the cluster with apiserver aggregation. Of course, use the audit webhook to feed the events into audit-event-apiserver. |
Copying from #46592 (comment), with regards to omitting ReqeustRecieved stage from the batched webhook output:
I think we should pursue this option before adding more configuration to the policy, but open for discussion. |
I like the batching webhook mode doing de-duplication. It's a nice middle ground between sending less events and adding even more configuration to omit stages. It also provides a sane default option. Looking at #46897, it already takes a lot of prior knowledge to write these policy files. I think that's a strong argument for not making the policy more complex. |
@sttts @ericchiang @CaoShuFeng We recently discussed the issue of omitting stages with @tallclair and here are some thoughts:
Also I personally think that the logic with omitStages is cleaner and easier to maintain and explain to users |
Yes, you are right. We should never turn this feature on? |
Maybe we let users opt into this through e.g. if you supply Don't know how cleanly that would interact with
Don't have a good answer there. We'd probably just update the e2e tests to use the @sttts @crassirostris @soltysh any thoughts here? I'd like to see a PR soon that formally bumps the feature flag to beta, but I think we have to address this first. |
With current implementation, if user doesn't pass --audit-policy-file to kube-apiserver, nothing will be recorded. |
This option is not a switch between Lagacy audit/Advanced audit. |
Wait, hasn't #51943 already done this? |
The way I see it, you can still enable basic auth by disabling advanced audit logging, so it's not a problem. @CaoShuFeng even added this to the documentation in kubernetes/website#5300 |
Wasn't aware we already did this. I'll call it out explicitly in the release notes. https://github.com/kubernetes/features/blob/master/release-1.8/release_notes_draft.md#action-required-before-upgrading |
@ericchiang Thanks! |
Good progress has been made on this, but the remaining issues aren't blockers. Moving to 1.9, but maybe we should consider this complete? |
@tallclair Everything except for the discussion about api-aggregator (and/or federation?) is done, I think it makes sense to close this one and one a new one later |
[MILESTONENOTIFIER] Milestone Removed Important: This issue was missing labels required for the v1.9 milestone for more than 3 days: kind: Must specify exactly one of |
Thanks everyone for working on audit logging in 1.8! Closing in favor of #54551 |
As we work with the new "advanced auditing" API, we're noticing places where the API could be improved. I'm opening this issue to track all the changes we'd like to make to the API when it goes to beta.
API Changes:
audit.Event.ObjectRef.APIVersion
currently holds both the the API group and version, separated by a/
. We should break these out into separate fields./
delimited resources (e.g.pods/status
for the pods resource and status subresource)Resources
in the [GroupResources
](
kubernetes/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go
Line 198 in 14cd03a
audit.Event.Metadata.CreationTimestamp
shows up as null in the json serialized events we output, which looks sloppy. We should consider cleaning this up. One possibility is to get rid of theaudit.Event.Timestamp
field, and use CreationTimestamp.Other Changes:
AdvancedAuditing
moves to beta and defaults to enabledPostponed to post 1.8.0
/cc @sttts @soltysh @ericchiang @ihmccreery
Feature: kubernetes/enhancements#22
The text was updated successfully, but these errors were encountered: