Feature Gate - Kubeadm Audit Logging #59067
Conversation
k8s-ci-robot
added
release-note
timothysc
added
sig/cluster-lifecycle
| @@ -128,6 +129,12 @@ func createStaticPodFiles(manifestDir string, cfg *kubeadmapi.MasterConfiguratio | |||
| return err | |||
| } | |||
|
|
|||
| // create audit log file for apiserver | |||
| if err := audit.CreateDefaultAuditLogPolicy(cfg.AuditPolicyDir); err != nil { | |||
There was a problem hiding this comment.
People are going to want to knob paths here for policy on logging. Given it's beta I'm debating whether we should feature gate it or just provide a 1st class override.
/cc @roberthbailey @kubernetes/sig-auth-pr-reviews
There was a problem hiding this comment.
seems like a natural point to drop in a custom policy, especially since nothing else in kubeadm is really functionally dependent on this particular default audit policy
| }, | ||
| Rules: []auditv1beta1.PolicyRule{ | ||
| { | ||
| Level: auditv1beta1.LevelMetadata, |
There was a problem hiding this comment.
Users cannot customize the rules here.
There was a problem hiding this comment.
How do you propose we expose?
There was a problem hiding this comment.
@chuckha @timothysc Let the users use their own policy files optionally.
Just make a slight change to current AuditPolicyDir behavior.
If AuditPolicyDir is not set, create and use this default policy file. If set, find that file named audit.yaml and use it.
cmd/kubeadm/app/util/audit/utils.go
Outdated
| // Registers auditv1beta1 with the runtime Scheme | ||
| auditv1beta1.AddToScheme(scheme.Scheme) | ||
|
|
||
| // writes the pod to disk |
| obj.AuditPolicyLogDir = DefaultAuditPolicyLogDir | ||
| } | ||
|
|
||
| // TODO(chuckha) is 0 a meaningful value here? Does it mean 0 days or forever or can it be used as the empty value? |
There was a problem hiding this comment.
Need to rationalize this comment.
There was a problem hiding this comment.
https://github.com/natefinch/lumberjack/blob/v2.0/lumberjack.go#L78
0 is a valid number and, in addition to MaxBackups == 0, means nothing will get deleted. I'll need to update this to accept 0 as valid and meaningful.
| // AuditPolicyFileName defines audit policy resource file for apiserver | ||
| AuditPolicyFileName = "audit.yaml" | ||
| // AuditPolicyLogFileName defines the audit log filename | ||
| AuditPolicyLogFileName = "audit.log" |
There was a problem hiding this comment.
Audit log uses lumberjack under the hood which uses timestamps embedded in the filename to determine age of logs. I don't think defining an AuditPolicyLogFileName is the right thing to do here, unless I'm missing something.
There was a problem hiding this comment.
nope, my misundertsanding. lumberjack will take care of this automatically after the max-size.
chuckha
force-pushed
the
audit
branch
2 times, most recently
from
6da599a
to
b5ae3fb
Compare
k8s-ci-robot
added
the
approved
| @@ -128,6 +129,15 @@ func createStaticPodFiles(manifestDir string, cfg *kubeadmapi.MasterConfiguratio | |||
| return err | |||
| } | |||
|
|
|||
| // use the default audit policy if no audit policy exists | |||
| auditPolicyFilePath := filepath.Join(cfg.AuditPolicyDir, kubeadmconstants.AuditPolicyFileName) | |||
There was a problem hiding this comment.
Pinned file names inside user specified directories makes for a really opaque interface. Is there a reason not to simply have the user specify the policy file directly?
There was a problem hiding this comment.
I could add an --audit-policy-file flag to combine with the --audit-policy-dir flag to make this customizable but default to audit.yaml. Does that sound reasonable?
There was a problem hiding this comment.
why not just --audit-policy-file as the full filepath and drop --audit-policy-dir?
There was a problem hiding this comment.
that seems sensible! 👍 thanks for the input
k8s-github-robot
added
the
needs-rebase
k8s-github-robot
removed
the
needs-rebase
|
/ok-to-test |
|
/test all |
|
|
||
| // SetDefaults_AuditPolicyConfiguration sets default values for the AuditPolicyConfiguration | ||
| func SetDefaults_AuditPolicyConfiguration(obj *MasterConfiguration) { | ||
| if obj.AuditPolicyConfiguration.Path == "" { |
There was a problem hiding this comment.
"" is actually the default I want here (as in, this is wrong)
chuckha
force-pushed
the
audit
branch
2 times, most recently
from
682afde
to
73b4fd6
Compare
k8s-github-robot
added
the
needs-rebase
cmd/kubeadm/app/cmd/init.go
Outdated
| @@ -191,6 +192,18 @@ func AddInitConfigFlags(flagSet *flag.FlagSet, cfg *kubeadmapiext.MasterConfigur | |||
| &cfg.TokenTTL.Duration, "token-ttl", cfg.TokenTTL.Duration, | |||
| "The duration before the bootstrap token is automatically deleted. If set to '0', the token will never expire.", | |||
| ) | |||
| flagSet.StringVar( | |||
| &cfg.AuditPolicyConfiguration.Path, "audit-policy", cfg.AuditPolicyConfiguration.Path, | |||
There was a problem hiding this comment.
I think there was agreement in yesterday's SIG meeting to not proceed with adding flags until we sort out whether we want to be supporting these in the future.
@kubernetes/sig-cluster-lifecycle-misc
There was a problem hiding this comment.
I think we may have to default off with a opt-in via config option for the time being. Due to the logistical constraints on both args, and self-hosting HA concerns.
This will enable folks to turn on b/default with a separate PR, and unblock this one.
There was a problem hiding this comment.
@chuckha :+1 for this PR!
Two high level comments about the implementation:
- if we are extending how static pod manifest are created in
kubeadm init, it is necessary to ensure a consistent behaviour also inkubeadm alpha phase controlplane(e.g. same flags, same logic for the creation of the policy file if it doesn't exists). - the dependency from the kubea-apiserver to the audit policy file introduce a new element that should be taken into account for self-hosting and HA. I think it is important to inform as many people as possible about this. @timothysc, what about discussing this in the next SIG-meeting?
k8s-github-robot
removed
the
needs-rebase
cmd/kubeadm/app/cmd/init.go
Outdated
| @@ -191,6 +192,18 @@ func AddInitConfigFlags(flagSet *flag.FlagSet, cfg *kubeadmapiext.MasterConfigur | |||
| &cfg.TokenTTL.Duration, "token-ttl", cfg.TokenTTL.Duration, | |||
| "The duration before the bootstrap token is automatically deleted. If set to '0', the token will never expire.", | |||
| ) | |||
| flagSet.StringVar( | |||
| &cfg.AuditPolicyConfiguration.Path, "audit-policy", cfg.AuditPolicyConfiguration.Path, | |||
There was a problem hiding this comment.
I think we may have to default off with a opt-in via config option for the time being. Due to the logistical constraints on both args, and self-hosting HA concerns.
This will enable folks to turn on b/default with a separate PR, and unblock this one.
| obj.AuditPolicyConfiguration = kubeadm.AuditPolicyConfiguration{ | ||
| Path: "foo", | ||
| LogDir: "/foo", | ||
| LogMaxAge: &zero, |
There was a problem hiding this comment.
If the type of LogMaxAge is going to be changed to int32, then you can use utilpointer.Int32Ptr(0) instead :)
| // LogDir is the local pth to the directory where logs should be stored. | ||
| LogDir string | ||
| // LogMaxAge is the number of days logs will be stored for. 0 indicates forever. | ||
| LogMaxAge *int |
There was a problem hiding this comment.
How about changing the type to int32?
| @@ -67,6 +67,15 @@ const ( | |||
| DefaultProxyBindAddressv6 = "::" | |||
| // KubeproxyKubeConfigFileName defines the file name for the kube-proxy's KubeConfig file | |||
| KubeproxyKubeConfigFileName = "/var/lib/kube-proxy/kubeconfig.conf" | |||
|
|
|||
| // DefaultAuditPolicyLogDir is the default directory where the audit system will write | |||
| DefaultAuditPolicyLogDir = "/var/log/kubernetes" | |||
There was a problem hiding this comment.
How about creating a sub-dir? This is OK anyway.
There was a problem hiding this comment.
@xiangpengzhao - Do you mean /var/log/kubernetes/audit ?
There was a problem hiding this comment.
@timothysc exactly :)
| LogDir string | ||
| // LogMaxAge is the number of days logs will be stored for. 0 indicates forever. | ||
| LogMaxAge *int | ||
| } |
There was a problem hiding this comment.
Add the same TODO here? i.e., //TODO(chuckha) add other options for audit policy
cmd/kubeadm/app/cmd/init.go
Outdated
| } else { | ||
| i.cfg.AuditPolicyConfiguration.Path = filepath.Join(kubeConfigDir, kubeadmconstants.AuditPolicyDir, kubeadmconstants.AuditPolicyFile) | ||
| if err := auditutil.CreateDefaultAuditLogPolicy(i.cfg.AuditPolicyConfiguration.Path); err != nil { | ||
| return fmt.Errorf("error creating default audit policy [%v]", err) |
There was a problem hiding this comment.
Also print the default file path here?
There was a problem hiding this comment.
sure, seems reasonable
| @@ -53,6 +56,7 @@ var InitFeatureGates = FeatureList{ | |||
| HighAvailability: {FeatureSpec: utilfeature.FeatureSpec{Default: false, PreRelease: utilfeature.Alpha}, MinimumVersion: v190, HiddenInHelpText: true}, | |||
| CoreDNS: {FeatureSpec: utilfeature.FeatureSpec{Default: false, PreRelease: utilfeature.Alpha}, MinimumVersion: v190}, | |||
| DynamicKubeletConfig: {FeatureSpec: utilfeature.FeatureSpec{Default: false, PreRelease: utilfeature.Alpha}, MinimumVersion: v190}, | |||
| Auditing: {FeatureSpec: utilfeature.FeatureSpec{Default: false, PreRelease: utilfeature.Alpha}}, | |||
There was a problem hiding this comment.
s/Alpha/Beta as per the comment in L45 // Auditing is beta in 1.8 ?
There was a problem hiding this comment.
Auditing in k8s is in beta as of 1.8, but the feature to enable it with kubeadm, I assumed, would be considered Alpha
cmd/kubeadm/app/util/audit/utils.go
Outdated
| @@ -0,0 +1,69 @@ | |||
| /* | |||
| Copyright 2017 The Kubernetes Authors. | |||
cmd/kubeadm/app/util/audit/utils.go
Outdated
|
|
||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| auditv1beta1 "k8s.io/apiserver/pkg/apis/audit/v1beta1" | ||
|
|
There was a problem hiding this comment.
weird, maybe my goimports settings are wonky, i'll need to look into this so they are in line with k8s expectations.
cmd/kubeadm/app/util/audit/utils.go
Outdated
| auditv1beta1 "k8s.io/apiserver/pkg/apis/audit/v1beta1" | ||
|
|
||
| "k8s.io/kubernetes/cmd/kubeadm/app/util" | ||
|
|
| @@ -0,0 +1,61 @@ | |||
| /* | |||
| Copyright 2017 The Kubernetes Authors. | |||
| if features.Enabled(i.cfg.FeatureGates, features.Auditing) { | ||
| // Setup the AuditPolicy (either it was passed in and exists or it wasn't passed in and generate a default policy) | ||
| if i.cfg.AuditPolicyConfiguration.Path != "" { | ||
| // TODO(chuckha) ensure passed in audit policy is valid so users don't have to find the error in the api server log. |
There was a problem hiding this comment.
@kubernetes/sig-auth-pr-reviews - is there a mechanism to verify that the audit policy is sane?
There was a problem hiding this comment.
I was thinking try to serialize it into a Policy type and see if it was valid, that would probably catch a lot of the cases
| @@ -67,6 +67,15 @@ const ( | |||
| DefaultProxyBindAddressv6 = "::" | |||
| // KubeproxyKubeConfigFileName defines the file name for the kube-proxy's KubeConfig file | |||
| KubeproxyKubeConfigFileName = "/var/lib/kube-proxy/kubeconfig.conf" | |||
|
|
|||
| // DefaultAuditPolicyLogDir is the default directory where the audit system will write | |||
| DefaultAuditPolicyLogDir = "/var/log/kubernetes" | |||
There was a problem hiding this comment.
@xiangpengzhao - Do you mean /var/log/kubernetes/audit ?
k8s-ci-robot
added
the
sig/auth
chuckha
force-pushed
the
audit
branch
2 times, most recently
from
02371b6
to
386f853
Compare
|
/test pull-kubernetes-kubemark-e2e-gce |
Audit logs are configurable via the MasterConfiguration file. All options are ignored unless the FeatureGate is enabled. Fixes kubernetes/kubeadm#623 Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
|
/test pull-kubernetes-unit |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chuckha, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these OWNERS Files:
Approvers can indicate their approval by writing |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
Fixes kubernetes/kubeadm#623
Signed-off-by: Chuck Ha ha.chuck@gmail.com
What this PR does / why we need it:
This PR enables Auditing behind a featureGate. A user can supply their own audit policy with configuration option as well as a place for the audit logs to live. If no policy is supplied a default policy will be provided. The default policy will log all Metadata level policy logs. It is the example provided in the documentation.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes kubernetes/kubeadm#623
Special notes for your reviewer:
Release note: