FR: streaming audit endpoint #53455
Comments
tallclair
added
area/apiserver
area/logging
sig/api-machinery
k8s-ci-robot
added
the
kind/feature
|
Another important use case (xref #56683): In current e2e test audit events are read from the log file. However, there are a couple of problems:
|
Remove this tag once functionality from feature request kubernetes#53455 is implemented.
Automatic merge from submit-queue (batch tested with PRs 55360, 56444, 56687, 56791, 56802). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add DisabledForLargeClusters tag to audit tests. Remove this tag once functionality from feature request #53455 is implemented. Fixes #56683. ```release-note NONE ```
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
@crassirostris @loburm Can we turn back on the audit tests on large-scale now? |
|
@shyamjvs Nope, this feature is a pre-requisite for enabling audit tests on large scale /remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
/assign |
|
Hi, @tallclair
This is a plugin work as a server which needs to bind a port?
This requires a authentication progress.
Totally agree!!! |
|
Hi, I'd be happy to work on this if no one has startted it. |
Since audit events are non-nanmespaced objects, how to use RBAC to implement access control for this stream? |
|
Hi. |
This tries to fix: kubernetes/kubernetes#53455
This tries to fix: kubernetes/kubernetes#53455
This tries to fix: kubernetes/kubernetes#53455
|
@tallclair @loburm |
|
awesome, thanks! |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
tallclair
added
the
priority/awaiting-more-evidence
|
given the HA implications, the inverse of this (dynamic audit webhook registration) seems preferable |
|
Agreed. What I would actually like to see is an out-of-tree implementation of this. An application that is registered as a dynamic audit webhook and serves the audit stream (maybe with an in-memory history cache). It could either serve a custom API, or register itself as an extension API server. |
|
Sounds good. Closing this here then. /close |
|
@liggitt: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature
Description:
Provide a pull-based stream for audit logging. This would look similar to a watch request to the API server, and provide a stream of audit events. I would not expect the stream to return any PREVIOUS events (i.e. no associated storage), it would only stream events that occurred after the stream was opened. This would be a new audit backend plugin.
The should also have some options to filter events. Minimally, there should be a namespaced version that only includes audit events tied to that namespace, so that RBAC can be used to grant subdivided access. Secondarily, it might be nice to be able request only events tied to a given user or resource.
Motivation:
The current audit backends (log & webhook) require very high privileges (file access to the master) or prior configuration (webhook). There are a number of use cases for dynamic and unprivileged access to the audit logs. Examples include:
Challenges:
Audit logs can be very noisy, so there is a risk that providing this stream (and potentially multiple connections) could have a performance impact. Subdividing the audit logs (namespaces, resources, etc.) would help. We could also potentially restrict this to metadata-level, though that would negatively impact the debugging use case (maybe a request parameter?). Also, the stream should not have the reliability guarantees as the webhook & log backends, if the stream is congested events will be dropped.
/cc @crassirostris @liggitt @destijl @sttts @kubernetes/sig-auth-feature-requests
The text was updated successfully, but these errors were encountered: