Dynamic Audit Policy #71230
Dynamic Audit Policy #71230
Conversation
k8s-ci-robot
added
release-note
|
Hi @pbarker. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
/cc @tallclair @lavalamp @liggitt |
|
/cc @liggitt |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/retest |
1 similar comment
|
/retest |
|
/cc |
|
Hello, is there any reasons to complicate the struct with the existence of |
|
@WanLinghao the idea was to make it composable so that Sinks could share the classes, and an app developer could create a class for their application and have it packaged up with everything else. This was just the first direction we wanted to explore. I'm building a little CRD version now to test out these ideas that will serve as input, I'll ping you with the repo once is live |
|
@pbarker thank you! |
pbarker
force-pushed
the
audit-policy
branch
from
a37d373
to
963844c
Compare
|
Just checking in--looks like it's not my turn yet. Please ping me when it is! :) |
|
Hi everyone, is this patch ready to merge? |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: pbarker If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| // required | ||
| Policy Policy `json:"policy" protobuf:"bytes,1,opt,name=policy"` | ||
|
|
||
| // Webhook to send events | ||
| // `webhook` to send events |
There was a problem hiding this comment.
Complete sentence? e.g. webhook describes how to contact the sink.
| // +optional | ||
| Stages []Stage `json:"stages" protobuf:"bytes,2,opt,name=stages"` | ||
|
|
||
| // `rules` define how `auditClass` objects should be handled. |
There was a problem hiding this comment.
| // `rules` define how `auditClass` objects should be handled. | |
| // `rules` define how requests having a matching `auditClass` should be handled. |
?
| // +optional | ||
| Stages []Stage `json:"stages" protobuf:"bytes,2,opt,name=stages"` | ||
|
|
||
| // `rules` define how `auditClass` objects should be handled. | ||
| // A request may fall under multiple `auditClass` objects. |
| type WebhookThrottleConfig struct { | ||
| // ThrottleQPS maximum number of batches per second | ||
| // `qps` maximum number of batches per second. |
There was a problem hiding this comment.
qps is the maximum sustained batches per second.
?
| type Webhook struct { | ||
| // Throttle holds the options for throttling the webhook | ||
| // `throttle` holds the options for throttling the webhook. |
There was a problem hiding this comment.
What if we called it rate limits? This isn't throttling the webhook, it's throttling requests sent?
What happens if there are more events than can be fit in the given rate limits?
| Users []string `json:"users,omitempty" protobuf:"bytes,2,rep,name=users"` | ||
| // The user groups in this attribute group. A user is considered matching | ||
| // if it is a member of any of the UserGroups. | ||
| // An empty list implies every user group. |
There was a problem hiding this comment.
The empty behavior still seems quite wrong; if you leave users empty and set a group, every user is included due to users being empty.
I think you have to have empty lists mean the criteria is not used, i.e., selects nothing.
|
|
||
| // RequestSelector selects requests by matching on the given fields. Selectors are | ||
| // used to compose `auditClass` objects. | ||
| type RequestSelector struct { |
There was a problem hiding this comment.
Is this an "all must match" or an "any may match" list? I think it wants to be the latter?
There was a problem hiding this comment.
Now that I read through to the bottom of this type, I think it still needs significant work :/
I think users need to be able to express {mist include one of [list], ignore/don't care, must not include one of [list]} for many or all of these clauses. Do we have a list of use cases we want to make easy?
There was a problem hiding this comment.
Is this an "all must match" or an "any may match" list?
I think all fields in the selector must match, but within a field it's "any". For example, if I specify verbs=[get, create] and resources=[pods, nodes], then that would logically be (verb=get OR verb=create) AND (res=pods OR res=nodes)
I think users need to be able to express {mist include one of [list], ignore/don't care, must not include one of [list]} for many or all of these clauses.
For "must not include one of list", I think the way to express that in the current model would be to have a separate class for the excluded requests, and then handle it before the positive class in the policy rules. I think the common use case will be "I want to handle this type of request in this way, except ignore (don't log) these specific noisy requests".
Do we have a list of use cases we want to make easy?
I think the default audit policy is a good starting point: https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh#L824-L950
| UserGroups []string `json:"userGroups,omitempty" protobuf:"bytes,3,rep,name=userGroups"` | ||
|
|
||
| // `verbs` included in this selector. | ||
| // An empty list implies every verb. |
There was a problem hiding this comment.
I think you need both IncludeVerbs and ExcludeVerbs :/
I think you may need this for users and groups, too :/
|
|
||
| // Selectors can apply to API resources (such as "pods" or "secrets"), | ||
| // non-resource URL paths (such as "/api"), or neither, but not both. | ||
| // If neither is specified, the selector is treated as a default for all URLs. |
There was a problem hiding this comment.
Missing field? Zombie comment?
| // *s are allowed, but only as the full, final step in the path, and are delimited by the path separator | ||
| // Examples: | ||
| // "/metrics" - Log requests for apiserver metrics | ||
| // "/healthz/*" - Log all health checks |
There was a problem hiding this comment.
Seems like we should make it easy to get all or none of these?
| // Using this field requires resources to be specified. | ||
| // An empty list implies that every instance of the resource is matched. | ||
| // +optional | ||
| ObjectNames []string `json:"objectNames,omitempty" protobuf:"bytes,3,rep,name=objectNames"` |
There was a problem hiding this comment.
Shouldn't this be ResourceNames to be consistent with RBAC, AdmissionWebhooks and the current AuditPolicy?
Then copying existing rules into classes can be done easily.
| Users []string `json:"users,omitempty" protobuf:"bytes,2,rep,name=users"` | ||
| // The user groups in this attribute group. A user is considered matching | ||
| // if it is a member of any of the UserGroups. | ||
| // An empty list implies every user group. |
There was a problem hiding this comment.
@lavalamp This is more or less copy of the current documentation and behavior of AuditPolicy.
| // available options: None, Metadata, Request, RequestResponse | ||
| // required | ||
| Level Level `json:"level" protobuf:"bytes,1,opt,name=level"` | ||
|
|
||
| // Stages is a list of stages for which events are created. | ||
| // `stages` is a list of stages for which events are created. | ||
| // If no stages are given nothing will be logged |
There was a problem hiding this comment.
If no stages have been specified, nothing will be logged even if the rules specify stages of their own?
Can we make any correlation more explicit if there is one?
| Level Level `json:"level" protobuf:"bytes,2,opt,name=level"` | ||
|
|
||
| // `stages` is a list of stages for which events are created. | ||
| // If no stages are given nothing will be logged. |
There was a problem hiding this comment.
Does this works as a union with the Policy stages as in the audit API or it completely overrides it? This should also be made explicit.
|
met with @lavalamp, @liggitt, @mvladev, @shturec, @tallclair: recording at https://zoom.us/recording/share/DJa-lhV7gX_3z5-H89LswcvUF6lePS4b6rslRNMLng2wIumekTziMw next steps: the use cases and example API configs should fold back into the KEP, and eventually be usable in some for as end-user documentation of the feature (xref the sample admission webhook configurations referenced from https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-configuration) |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@pbarker: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
@fejta-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
liggitt
removed
the
api-review
@liggitt is this mr still valuable to move on? I have similar need to dynamic change audit policy with out restart apiserver. |
|
@pbarker I think this mr is greatly helpful, may I ask why was this mr closed? |
|
Hey @xuchen-xiaoying the company I was working for when building this got acquired and this work was deprioritized, the community also didn't have enough interest to continue to push it forward. I think this is largely due to most k8s clusters being provisioned on a cloud provider, and the cloud providers having their own audit integrations built in. |
@pbarker really appreciate your reply and related enhancement, which I think is valuable and elegant for hot restart and dynamic configuration. much tanks. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Adds policy rules to the AuditSink API object #70818
Special notes for your reviewer:
This PR is based off discussions with @lavalamp and @tallclair to make the audit policy more composable and readable for the API objects.
Does this PR introduce a user-facing change?: