add auditing operating user guider #313
Conversation
|
/assign @FeynmanZhou |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: wanjunlei The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ks-ci-bot
added
the
size/L
| weight: 300 | ||
| --- | ||
|
|
||
| KubeSphere Auditing Logs provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system. Each request to KubeSphere generates an event that is then written to a webhook and processed according to a certain rule. According to different rules, the event will be ignored, stored, or generated an alert. |
There was a problem hiding this comment.
->
KubeSphere Auditing Logs provide a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system. Each request to KubeSphere generates an event that is then written to a webhook and processed according to a certain rule. The event will be ignored, stored, or generate an alert based on different rules.
|
|
||
| ### Receive auditing log from KubeSphere | ||
|
|
||
| KubeSphere Auditing Logs can receive auditing logs form KubeSphere and Kubernetes. By default, KubeSphere Auditing Logs only receives auditing logs from KubeSphere. |
There was a problem hiding this comment.
->
KubeSphere Auditing Log system receives auditing logs only from KubeSphere by default, while it can also receive auditing logs from Kubernetes.
|
|
||
| KubeSphere Auditing Logs can receive auditing logs form KubeSphere and Kubernetes. By default, KubeSphere Auditing Logs only receives auditing logs from KubeSphere. | ||
|
|
||
| User can stop receive auditing logs from KubeSphere by changing the value of 'auditing.enable' in ConfigMap `kubesphere-config` in the namespace `kubesphere-system` using the following command, |
There was a problem hiding this comment.
User can stop receive
->
User can stop receiving
| kubectl edit cm -n kubesphere-system kubesphere-config | ||
| ``` | ||
|
|
||
| change the value of `auditing.enabled` as false to stop receive auditing logs from KubeSphere. |
There was a problem hiding this comment.
->
Change the value of auditing.enabled as false to stop receiving auditing logs from KubeSphere.
|
|
||
| > Note that this action will restart the Kubernetes apiserver. | ||
|
|
||
| The `audit-policy.yaml` define rules about what events should be recorded and what data they should include. You can use a minimal audit policy file to log all requests at the Metadata level: |
There was a problem hiding this comment.
The audit-policy.yaml define rules about
->
The audit-policy.yaml defines rules about
| macro: ObjectRef.Resource="pods" | ||
| ``` | ||
|
|
||
| > `Macro` can bu used in rules or other macros like ${pod} or ${alerting-rule.pod}. The difference between these two methods is, ${pod} only can be used in the CRD Rule `alerting-rule`, ${alerting-rule.pod} can be used in all CRD Rule. It is also applied to lists and alias. |
There was a problem hiding this comment.
->
Macro can be used in rules or other macros like ${pod} or ${alerting-rule.pod}. The difference between these two methods is that ${pod} only can be used in the CRD Rule alerting-rule, while ${alerting-rule.pod} can be used in all CRD Rules. It also applies to lists and alias.
| > `Macro` can bu used in rules or other macros like ${pod} or ${alerting-rule.pod}. The difference between these two methods is, ${pod} only can be used in the CRD Rule `alerting-rule`, ${alerting-rule.pod} can be used in all CRD Rule. It is also applied to lists and alias. | ||
|
|
||
| #### List | ||
| `List` is collections of items that can be included in rules, macros, or other lists. Unlike rules and macros, lists cannot be parsed as filtering expressions. Here¡¯s an example of a list. |
There was a problem hiding this comment.
->
A list is a collection of items that can be included in rules, macros, or other lists. Unlike rules and macros, lists cannot be parsed as filtering expressions. Here is an example of a list.
| ``` | ||
|
|
||
| #### Alias | ||
| `Alias` is a short name of a filter field, it can be included in rules, macros, lists, and output string. Here¡¯s an example of an alias. |
There was a problem hiding this comment.
A alias is a short name of a filter field. It can be included in rules, macros, lists, and output strings. Here is an example of an alias.
| ``` | ||
| Output: ${user} ${verb} a HostNetwork Pod ${name} in ${namespace}. | ||
| ``` | ||
| > The field of the user, verb, namespace, name all are alias. |
There was a problem hiding this comment.
->
The fields of user, verb, namespace, and name are all aliases.
|
|
||
| ### KubeSphere Auditing Logs Query | ||
|
|
||
| KubeSphere supports auditing logs query for tenant isolation. Use the `admin` account to log in KubeSphere, choose **Toolbox -> Auditing Operating**. |
There was a problem hiding this comment.
Is the account admin a must here? I reckon any account can use the query feature for auditing logs as long as the component is enabled in the cluster.
|
@wanjunlei Please resolve the conflict in content/en/docs/toolbox/_index.md. @FeynmanZhou After the conflict is resolved, this pr can be merged if you do not have any questions. |
Signed-off-by: wanjunlei <wanjunlei@yunify.com>
Signed-off-by: wanjunlei <wanjunlei@yunify.com>
|
@Sherlock113 @wanjunlei I assume this document can be split into three or four individual guides, it is not friendly that make three or four topics in a single long page. I will merge it first then @Sherlock113 help us to split and wording it |
Signed-off-by: wanjunlei wanjunlei@yunify.com