KEP: Dynamic Audit Configuration

[pbarker]

Proposal to allow for the dynamic configuration of advanced auditing features.

[timothysc]

/cc @kubernetes/sig-api-machinery-feature-requests @kubernetes/sig-auth-feature-requests
/cc @liggitt @tallclair @jagosan

[hh]

After sending out https://lists.cncf.io/g/cncf-k8s-conformance/message/417
It was nice to wake up this morning to your KEP.
Thank you!

[calebamiles]

/ok-to-test

[calebamiles]

/assign @ericchiang @liggitt @tallclair

[tallclair]

/cc @loburm

[tallclair]

Nice, I agree these are important features to have.

[tallclair]

What if I want to enforce that the audit policy cannot be overwritten, even by someone who has the ClusterAdmin role (root in cluster)?

[pbarker]

I suspected this would be controversial, if we want to switch it around that works for me. I was going for observability first, but there may be security concerns that are more important.

[CaoShuFeng]

Rather than introduce a new API object, why don't we just watch the audit policy file and load policy dynamically from it?
Reason:

1. The audit policy object should be owned by the cluster admin. No need to expose it to API.
2. There is only one audit policy. We usually create multi objects when there is an API in kube-apiserver.

Advantage:

1. We can still dynamically config it.
2. Easy to implement. (I think...)
3. reduce one additional threat. (One can not close the audit events by POST policy to API)

Disadvantage:

1. Cluster admin have to check the audit log or apiserver log to ensure that his modification has been accepted by apiserver.
   If there is an error in the config file, the cluster admin can not get a timely and obvious error message, he has to check the log.

We can add a new option to kube-apiserver:

--audit-policy-check-frequency       duration          Duration between checking audit policy file for new policy rules (default 0s). If set to 0s, kube-apiserver will not dynamically load new policy when the policy is modified.

[pbarker]

This would require write access to the master node which is highly privileged. The main goal of the proposal is to provide drop in components that can utilize the audit data, which in turn enhances the security and conformance of the cluster.

Based on the conversations were looking to provide a root policy that cannot be tampered with but enable the ability to dynamically configure secondary policies and webhooks.

[CaoShuFeng]

This would require write access to the master node which is highly privileged.

Agree. This is a reason.

[tallclair]

Does this mean multiple webhooks can be setup at once?

[hh]

Use Cases for multiple webhooks / policies:

• There is an ongoing permanent audit policy, but a temporary audit with a different policy (and likely webhook endpoint) needs to be added. ie. Enabling APISnoop for a specific application
• Joint auditing with same policy but dual webhooks to independent auditors.

[pbarker]

I was shooting for a single webhook initially just to match parity with the current system, but if we think there are sufficient use cases for multiples, I'm happy to change direction.

[tallclair]

I would like to see this section expanded. I can think of a few additional threats that are opened up with this:

1. privileged user changes audit policy to hide (not audit) malicious actions
2. privileged user changes audit policy to DoS audit endpoint (with malintent, or ignorance)
3. privileged user changes webhook configuration to hide malicious actions

As a potential mitigation strategy, what if we said that the flag-defined configuration always takes precedence, but can be combined with the dynamic config? This would let the cluster operator define a policy subset that must be abided by (e.g. ALWAYS log secrets access, at metadata level; NEVER log events, ALWAYS log dynamic audit log changes). This could easily be done by just appending the dynamic config to the static config.

Similarly, the operator could enforce that audit logs are always sent to the flag-configured webhook. WDYT?

[liggitt]

As a potential mitigation strategy, what if we said that the flag-defined configuration always takes precedence, but can be combined with the dynamic config? This would let the cluster operator define a policy subset that must be abided by (e.g. ALWAYS log secrets access, at metadata level; NEVER log events, ALWAYS log dynamic audit log changes). This could easily be done by just appending the dynamic config to the static config.

that's tricky... I can see valid use cases both ways:

• flag-defined config that limits what dynamic configs can do
• flag-defined config for operating in normal mode, dynamic config that allows temporary verbose logging to debug a particular issue

[pbarker]

Temporary verbose logging is an interesting use case. Could we settle on assuming that if you want that feature you would need to leave your static config open to it, and configure the rest dynamically?

[ericavonb]

Having dynamic audit config overriding flag-defined config as defined is very problematic, IMHO. Dynamic policies, e.g. defined as an API object, would be letting the API monitor itself. It would remove the ability to provide any guarantee of the integrity of an audit.

The only tenable way to allow some dynamism to audit policy would be to have flag-defined config be the ultimate authority and let it specify the bounds and policy for applying any dynamic configuration.

[CaoShuFeng]

As a potential mitigation strategy, what if we said that the flag-defined configuration always takes precedence, but can be combined with the dynamic config? This would let the cluster operator define a policy subset that must be abided by (e.g. ALWAYS log secrets access, at metadata level; NEVER log events, ALWAYS log dynamic audit log changes). This could easily be done by just appending the dynamic config to the static config.

Agree to make the flag-defined configuration read only.
And the dynamic audit config will send audits to it's own backends, they should not effect each other.

[tallclair]

If we allowed multiple webhooks to be configured simultaneously, I think it might make sense to allow different policies to be configured for different webhooks.

[pbarker]

If we go that route I agree, we could add a policy field to the AuditConfiguration object, that would take the name of the policy object

[bgrant0607]

Please read the API conventions. In particular:
https://github.com/kubernetes/community/blob/master/contributors/devel/api-conventions.md#naming-conventions

[tallclair]

As an extension, do you think it would ever make sense to allow per-namespace policies? We would probably want to enforce that the namespace-level policies are additive only (i.e. can only increase data logged, not decrease), or maybe appended. Out of scope for this proposal, but something that could be a follow up.

[pbarker]

I like this idea, I think inherently you'll want stricter policy on certain namespaces while others cause bloat. We'll track this as a later feature

[CaoShuFeng]

As an extension, do you think it would ever make sense to allow per-namespace policies

This is what my boss want. I'am happy to implement it.
I think a quota for each namespace's webhooks is necessary.

[tallclair]

Related: kubernetes/kubernetes#53455

[hh]

A possible a third story to cherry pick, which will help with APISnoop style audits: 5f46645

Story 3

As a cluster admin, I will be able configure multiple audit-policies and webhook endpoints to provide independent auditing facilities.

[pbarker]

@hh this is a good use case for multiple webhooks, I'll update to reflect. @tallclair do we see this as working in tandem with kubernetes/kubernetes#53455 ?

[tallclair]

kubernetes/kubernetes#53455 is for a pull-model (at least for setting up the initial connection), where's multiple webhooks would be for a push model. Definitely overlap, but I think there's a use case for both. One thing to note is that if there is a policy-per-webhook, that gets confusing with kubernetes/kubernetes#53455, which policy does it use?

[tallclair]

This will require the audit API to be registered with the apiserver.

I would like there to be additional controls to enable/disable the dynamic policy and/or dynamic webhook config.

[pbarker]

agreed, updating

[tallclair]

I think this is supposed to be a separate PR, so that you don't need to keep renaming the file (and losing the comments).

[pbarker]

ah ok, misunderstood that part, updating

[loburm]

I suppose omitStages should be under the rules: https://github.com/kubernetes/apiserver/blob/master/pkg/apis/audit/types.go#L228

[pbarker]

omitStages can also be global https://github.com/kubernetes/apiserver/blob/master/pkg/apis/audit/types.go#L168

[CaoShuFeng]

/cc

[CaoShuFeng]

+1 to combine configuration flags into an object.
We have 30 audit related flast in kube-apiserver now.

$ kube-apiserver --help |grep audit | wc -l
30

[CaoShuFeng]

I can't wait to see this happens.
@pbarker What's the developing plan for this proposal?

[CaoShuFeng]

applied to the kube-system namespace as an object and be dynamically configured

Why policy is not a cluster-scoped object?

[pbarker]

good catch, updating

[caesarxuchao]

The doc still says kube-system.

[pbarker]

@CaoShuFeng I plan on beginning the implementation this week, and will tweak things as feedback comes in

[x13n]

What does it mean? When dynamic config is enabled in the cluster, will it disable the ability to use blocking mode?

[pbarker]

There was a concern raised about dynamically configuring a webhook to be blocking with a bad configuration which kills the apiserver. You could still configure a blocking webhook through flags.

[x13n]

Ack. So, is the idea for now is to keep one "static" configuration via flags, as it exists today, and in addition to that, provide any number of additional dynamic configurations that effectively enable multiple backends? If yes, can you state that explicitly in the proposal?

[pbarker]

yep, thats the current proposal. Its discussed in more detail here https://github.com/kubernetes/community/pull/2188/files#diff-ed9ccb4e76c92c65792d7180a7f0bd63R153 Let me know if that needs further explanation

[tallclair]

Don't forget to update this.

[tallclair]

I'd like to have someone from apimachinery on this list to approve the webhook parts. In particular, the ability to create multiple webhooks and dynamically configure the performance characteristics.

[pbarker]

added @yliaog

[tallclair]

non-goals is an opportunity to define the scope of this feature / proposal. Can you be more specific about what is out of scope here? Examples might include:

• composable audit policies per-endpoint
• configuring non-webhook backends
• configuring audit output (format or per-field filtering)
• authorization of audit output

[tallclair]

What's the motivation for specifying multiple backends per configuration? I think it might simplify things to have 1:1

[pbarker]

So the original idea was that you may want to define one policy and have multiple backends work off of that. This may only really become relevant if we allow more policies, so I'm fine removing it for the time being.

[tallclair]

Can we just omit the field initially if it only has a single allowed value?

[tallclair]

Yeah, I feel fine about having global options for these. If we ever decide we need them to be dynamically configurable, it's easy to add back later (with the global settings acting as the default values).

[tallclair]

Sorry, I still don't understand this. What specifically does this mean?

If the update fails to apply, ...

Maybe it would help if you describe the implementation of that condition a bit more?

[pbarker]

I think this only applies to policy, since were not handling that here I'll remove

[tallclair]

Almost there... thanks for scoping down so much.

[tallclair]

If multiple API servers exist, the configuration will be rolled out in increments.

What does this mean? Is this talking about HA masters, or aggregated api servers?

[tallclair]

drop policy

[pbarker]

@tallclair @liggitt @yliaog I think we are in a good place with this here, is there anything else you would like to see? or can this move to next steps? Thanks

[tallclair]

I'm not sure what this means... what do informers have to do with configuration? Do you mean the audit pipeline will get the configuration from an informer?

If so, how will it be used? I assume event handlers to add, remove & update backends to sync with the configuration?

Suggestion:
Introduce a new "dynamic" audit backend type. The dynamic audit backend looks like the union backend, but keeps a map of config name -> BE, and keeps the list in sync using the informer event hooks.

The dynamic backend is enabled through a commandline flag. It is always configured with a wrapping truncate & batch backend. The implications of this are that options to the truncate & batch backends should not be included in the dynamic configuration (I think that's already the case). IMO the performance benefits of sharing those are worth it.

[pbarker]

👍 I think were on the same page here, I updated to make it more clear. Let me know if there's anything else we're missing

[tallclair]

nit: I think this should be singular. Update the comments too.

[tallclair]

nit: json doesn't match. I suggest just removing the tags from the KEP - they can be dealt with in the API PR review.

[tallclair]

nit: ClientConfig *WebhookClientConfig

[tallclair]

If this is required it shouldn't be a pointer (I think)

[tallclair]

Almost there, just one more comment

[tallclair]

I think the feature gate is sufficient... I don't think we also need the --audit-dynamic-enabled flag.

[tallclair]

LGTM. Please squash your commits.

Any last thoughts from other reviewers? @liggitt @caesarxuchao @yliaog

[tallclair]

s/sucess/success/

[tallclair]

/lgtm

[pbarker]

ok @tallclair I fixed up the spelling error and updated the next kep number due to an issue with #2331, should be cleared up 👍

[tallclair]

/lgtm

[jbeda]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jbeda

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/OWNERS [jbeda]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment