adds dynamic audit documentation

kubernetes · Nov 13, 2018 · 1d81b2d · 1d81b2d
1 parent 10cddda
commit 1d81b2d
Showing 1 changed file with 46 additions and 0 deletions.
diff --git a/content/en/docs/tasks/debug-application-cluster/audit.md b/content/en/docs/tasks/debug-application-cluster/audit.md
@@ -207,6 +207,52 @@ same format as described above to the aggregated apiserver and set up the log in
 to pick up audit logs. Different apiservers can have different audit configurations and different
 audit policies.
 
+## Dynamic Auditing
+
+As of version 1.13 audit webhook backends can be configured dynamically as API objects. 
+
+To enable the feature a number of api server flags must be set:
+- `--audit-dynamic-configuration` the primary switch, once the feature progresses to GA this will be 
+  the only flag needed
+- `--feature-gates=DynamicAuditing=true` Feature gate
+- `--runtime-config=auditregistration.k8s.io/v1alpha1=true` Forces alpha version
+
+Once enabled, a sink can be provisioned:
+```yaml
+apiVersion: auditregistration.k8s.io/v1alpha1
+kind: AuditSink
+metadata:
+  name: <name>
+spec:
+  policy:
+    level: <level>
+    stages:
+    - <stage>
+  webhook:
+    throttle:
+      qps: <10>
+      burst: <15>
+    clientConfig:
+      url: <backend url>
+      service:
+        name: <service name>
+        namespace: <service namespace>
+      caBundle: <ca bundle>
+```
+
+The full api defintion can be found in the [types file](https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go). Multiple objects will exist as independent solutions. Dynamic policy will have no effect on backends configured from runtime flags. If webhook truncate options are set as runtime flags they will be applied to the dynamic backend.
+
+### Policy
+The AuditSink policy differs slightly from the runtime policy. This is because the API object serves different use cases. The API policy will continue to evolve as the API matures to serve more use cases.
+
+The `level` field applies the given audit level to all requests. The `stages` field is now a whitelist of stages to record. See the [types file](https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go) for a more detailed overview.
+
+### Security
+Administrators should be cognizant that allowing write access to this feature grants read access to all cluster data. Access should be regarded as a `cluster-admin` level privilege.
+
+### Performance
+In its current state, this feature has performance implications for the apiserver in the form of increased cpu and memory usage. This should be nominal, and performance impact testing will be done before the API progresses to beta.
+
 ## Log Collector Examples
 
 ### Use fluentd to collect and distribute audit events from log file