Identify the server in audit webhook #213
Comments
irfanurrehman
added
area/audit
area/federation
kind/feature
|
/cc @nikhiljindal |
|
There were some discussions months ago around the idea to connect federation requests with requests "forwarded" to the kube-apiservers. If I understand correctly (@nikhiljindal knows more), this forwarding is done via a controller, i.e. asynchronously? This means our audit header does not help so much right now. |
|
Umm am sorry am a bit lost. Not sure which Audit header is being talked about here. I can provide context on the discussion I had with @sttts: When a federated kubernetes cluster receives a request from federation control plane today, the audit logs say that the request came from "federation-control-plane" service account. We do not get any information on which user triggered that request. (For ex: it was Bob that created a federation deployment, which resulted in federation control plane creating a deployment in federated clusters). We have discussed a few options:
And yes the "forwarding" is done via controllers i.e. asynchronously. cc @kubernetes/sig-federation-misc |
|
As far as I can see, there are actually two separate problems:
If we're talking about the first one, in the original proposal it's suggested to have the same |
|
I think this would be like trying to correlate a request to create a replicaset with the follow up request to create a pod. This seems out of scope for the audit log, and should probably be addressed by annotations or ownerRef equivalent, right? |
|
No, that's a different thing. Imagine we have N events in the backend with the same AuditID, for the same call essentially. Some of these events were ingested from the apiserver, some from the kube-aggregator, some from federated server. How to understand which server this particular event with the same AuditID came from? |
|
The federated API server doesn't behave like an aggregated API server where the request is proxied and the request will have the same AuditID. In federation, a user creates a object through the federated API server, the federated controllers observe the object, then reconciles objects on the underlying clusters. An individual request to the federated API server doesn't directly translate to a individual request to the underlying clusters. There's no "same call." So I think some sort higher level method of correlation is probably better for that use case. (also sorry for closing the issue accidentally) |
|
@ericchiang OK, I see, thanks. I was thinking more about the kube-aggregator case and though that some calls in the federated server are synchronous |
|
WDYT about something like "audit context" -- object ref that would be populated by asynchronous servers like federation control plane that would specify, what object caused the request to be fired? It could then be used in other controllers, e.g. DaemonSet controller could specify the DaemonSet object ref in the request to create/delete pods |
|
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
|
/lifecycle frozen |
k8s-ci-robot
added
the
lifecycle/frozen
Thursday Aug 03, 2017 at 09:14 GMT
Originally opened as kubernetes/kubernetes#50076
Spinning up a discussion from kubernetes/kubernetes#48561
It can be implemented right now by adding a parameter to the webhook address on the deployment stage and process this parameter later in the pipeline. However, it's (relatively) easy to add information to the API and we want to make sure that the information we currently have is in the right state before going to beta / GA.
One thought is that it probably doesn't make sense to have this information in the event object, because events from different sources rarely mix up (until the backend anyway) and it would just mean the same information copied all over the request to the webhook. WDYT about adding this information to the EventList object?
/cc @tallclair @sttts @CaoShuFeng @ericchiang
The text was updated successfully, but these errors were encountered: