diff --git a/keps/sig-auth/0014-dynamic-audit-configuration.md b/keps/sig-auth/0014-dynamic-audit-configuration.md index 3863c058b9e..dce49cbe566 100644 --- a/keps/sig-auth/0014-dynamic-audit-configuration.md +++ b/keps/sig-auth/0014-dynamic-audit-configuration.md @@ -87,13 +87,13 @@ A cluster scoped configuration object will be provided that applies to all event ```golang // AuditConfiguration represents a dynamic audit configuration -type AuditConfiguration struct { +type AuditSink struct { metav1.TypeMeta v1.ObjectMeta - // Policy is the current audit v1beta1 Policy object - // if undefined it will default to the statically configured cluster policy if available + // The Level that all requests are recorded at. + // if not provided this will default to Metadata level // if neither exist the backend will fail Policy *Policy @@ -101,6 +101,53 @@ type AuditConfiguration struct { Backend *Backend } +// Level defines the amount of information logged during auditing +type Level string + +// Valid audit levels +const ( + // LevelNone disables auditing + LevelNone Level = "None" + // LevelMetadata provides the basic level of auditing. + LevelMetadata Level = "Metadata" + // LevelRequest provides Metadata level of auditing, and additionally + // logs the request object (does not apply for non-resource requests). + LevelRequest Level = "Request" + // LevelRequestResponse provides Request level of auditing, and additionally + // logs the response object (does not apply for non-resource requests and watches). + LevelRequestResponse Level = "RequestResponse" +) + +// Stage defines the stages in request handling during which audit events may be generated. +type Stage string + +// Valid audit stages. +const ( + // The stage for events generated after the audit handler receives the request, but before it + // is delegated down the handler chain. + StageRequestReceived = "RequestReceived" + // The stage for events generated after the response headers are sent, but before the response body + // is sent. This stage is only generated for long-running requests (e.g. watch). + StageResponseStarted = "ResponseStarted" + // The stage for events generated after the response body has been completed, and no more bytes + // will be sent. + StageResponseComplete = "ResponseComplete" + // The stage for events generated when a panic occurred. + StagePanic = "Panic" +) + +// Policy is a scoped down policy for audit webhooks +type Policy struct { + // The Level that all requests are recorded at. + // if not provided this will default to Metadata level + // +optional + Level *Level + + // OmitStages is a list of stages for which no events are created. + // +optional + OmitStages []Stage +} + // Backend holds the configuration for the backend type Backend struct { // Webhook holds the webhook backend @@ -151,8 +198,7 @@ kind: AuditConfiguration metadata: name: policy: - rules: - - level: + level: omitStages: - stage: backend: @@ -192,11 +238,12 @@ called `withDynamicAudit`. Another conditional clause will be added where the ha [provisioned](https://github.com/kubernetes/apiserver/blob/master/pkg/server/config.go#L536) allowing for the proper feature gating. #### Policy Enforcement -This addition will move policy enforcement from the main handler to the backends. From the `withDynamicAudit` handler, -the full event will be generated and then passed to the backends. Each backend will copy the event and then be required to -drop any pieces that do not conform to its policy. A new sink interface will be required for these changes called `EnforcedSink`, -this will largely follow suite with the existing sink but take a fully formed event and the authorizer attributes as its -parameters. It will then utilize the `LevelAndStages` method in the policy +This addition will move policy enforcement from the main handler to the backends. The policy object is a scoped down +version of the V1 Policy object, further filtering will be done in a proxy. This has been done because how we handle policy +may change in the future. From the `withDynamicAudit` handler, the full event will be generated and then passed to the backends. +Each backend will copy the event and then be required to drop any pieces that do not conform to its policy. A new sink interface +will be required for these changes called `EnforcedSink`, this will largely follow suite with the existing sink but take a +fully formed event and the authorizer attributes as its parameters. It will then utilize the `LevelAndStages` method in the policy [checker](https://github.com/kubernetes/apiserver/blob/master/pkg/audit/policy/checker.go) to enforce its policy on the event, and drop any unneeded sections. The new dynamic backend will implement the `EnforcedSink` interface, and update its state based on a shared informer. For the existing backends to comply, a method will be added that implements the `EnforcedSink` interface.