feat: Emit events in the involved objects namespace #2360
Conversation
ctrought
force-pushed
the
fix-emit-events-namespace
branch
2 times, most recently
from
9109de0
to
47b8f44
Compare
|
@ritazh do you remember why we are using gatekeeper's namespace instead of involved object's? |
|
I'm trying to remember this myself. I think there may have been some notion of security concerns... e.g. it may be possible for a malicious namespace admin to delete the event, which would change the security posture of events as a source-of-truth (not that they're great for that anyway due to throttling). Or maybe it was making it easy to see all events in one space? |
|
I think we were following the current rbac for violations as part of an audit (constraint is cluster level resource) and as part of the Gatekeeper pod logs (Gatekeeper namespace). Both are only accessible to Gatekeeper policy and cluster admins.
This makes sense. Do we want to generate events in both the GK namespace (for the policy/cluster admins) and in the involved object namespace? |
Hmmm, I think it would be redundant to have the events duplicated. For clusters with thousands or even tens of thousands of events I personally wouldn't trade for the convenience of viewing all events from one namespace at the cost of having them duplicated in etcd... but to make it simpler to continue to view all violations a common gatekeeper label could be added to the events so policy admins or cluster-admins can list all gatekeeper events in the cluster using a label selector.
I agree with @maxsmythe that events are not really a great source of truth for known violations anyways. But if that is the only way to view all policy violations right now (provided the user enables emitting violations as events) and there is concern about users removing events, users could always create a GK policy to prevent them from deleting events with the proposed GK labels 😆 |
+1 on label selector to view all gatekeeper events. Curious how others feel about allowing users to delete the violating events in their namespace.
@ctrought Have you evaluated the audit pod logs? Audit pod emits JSON-formatted audit logs to stdout https://open-policy-agent.github.io/gatekeeper/website/docs/audit#audit-logs that should have all the policy violations. |
I think it depends on the intended purpose of the events. If they are merely informational, then the only concerns about who has access where would be around preventing unintentional data leakage. |
I have and I think that's great! It's a bit cumbersome to extract the current violations though (since last audit run). Need to ship these to an external sink of some kind (elasticsearch, alertmanager, etc.). This is actually one of the reasons I submitted the PR to change the namespace because if we can get the events moved to the involved objects namespace I'm planning to use an event exporter to ship these to alertmanager or some other 'sink' where I should get a compiled feed of all the violations and can send them to slack, email, or whatever receiver we'd like. Having these in the involved namespace will allow us to route the violation/alert accordingly based on source namespace, in addition to providing visibility of violations inside kubernetes to the users managing those namespaces.
Sounds good, I will update the PR. 😃 |
|
@ctrought Per the 11/2/2022 community call, we think it would help to add a flag to allow operators to configure to create the events in the violating resource namespace instead of the default gatekeeper namespace. |
The below is how the involvedObject currently looks for a violation event, the namespace is set to gatekeeper-system instead of the namespace of the involvedObject in order to pass validation. I guess my thought is based on the event api and validation that is enforced it suggests that the event is intended to be emitted in the involvedObjects namespace, and the only reason it currently works is because the involvedObjects namespace is intentionally not set to the actual namespace of the involvedObject. |
|
The flag should indicate all namespaces should be set to the violating resource's namespace instead of gatekeeper-system. |
|
@ctrought Thanks for opening this PR and discussing options. Are you still working on this PR or blocked by anything? |
ctrought
changed the title
|
@ritazh was there any preference on a distinct flag for each audit & webhook and helm, or distinct flag for audit and webhook with a shared option in helm that sets both? |
+1 for distinct flags for audit and webhook to make this more flexible. |
ctrought
force-pushed
the
fix-emit-events-namespace
branch
from
47b8f44
to
2bb1b59
Compare
|
I've updated the PR, in addition to the feedback made a couple other tweaks
|
Looked into this in the process, not currently possible with EventRecorder interface but there is a PR open. If it's implemented I can come back to it. |
ctrought
force-pushed
the
fix-emit-events-namespace
branch
from
2bb1b59
to
92d70a0
Compare
Signed-off-by: Craig Trought <k8s@trought.ca>
ctrought
force-pushed
the
fix-emit-events-namespace
branch
from
92d70a0
to
1ba8916
Compare
|
@ritazh anything you need from me to get this merged? thx |
|
@maxsmythe @sozercan hoping this can be included in the 3.12 milestone? |
|
@ctrought looks like tests are failing, can you ptal? |
|
@ctrought ptal the failing tests. we are aiming to release rc on 3/24. |
|
@ctrought bump so we can get this PR reviewed and merged for the upcoming release |
Signed-off-by: Craig Trought <k8s@trought.ca>
Signed-off-by: Craig Trought <k8s@trought.ca>
* move emit namespace logic to getViolationRef for tests Signed-off-by: Craig Trought <k8s@trought.ca>
* add tests for using emit involved namespace flags Signed-off-by: Craig Trought <k8s@trought.ca>
Signed-off-by: Eshaan Mathur <37758843+eshaanm25@users.noreply.github.com>
Signed-off-by: Eshaan Mathur <37758843+eshaanm25@users.noreply.github.com>
ctrought
force-pushed
the
fix-emit-events-namespace
branch
from
3a9d402
to
64e5d66
Compare
Signed-off-by: Eshaan Mathur <37758843+eshaanm25@users.noreply.github.com>
fix: spacing issue in Helm README
|
The unit tests pass on the fork and a local machine. The job may need to be re-run for this PR. |
…t#2360) Signed-off-by: Craig Trought <k8s@trought.ca> Signed-off-by: Eshaan Mathur <37758843+eshaanm25@users.noreply.github.com> Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> Co-authored-by: Eshaan Mathur <37758843+eshaanm25@users.noreply.github.com> Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
…t#2360) Signed-off-by: Craig Trought <k8s@trought.ca> Signed-off-by: Eshaan Mathur <37758843+eshaanm25@users.noreply.github.com> Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> Co-authored-by: Eshaan Mathur <37758843+eshaanm25@users.noreply.github.com> Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com> Signed-off-by: Xander Grzywinski <xandergr@microsoft.com>
What this PR does / why we need it:
Events are currently emitted in the Gatekeeper namespace. It would be beneficial to have events emitted in the namespace where the involved object is so that users maintaining those namespaces are aware of them whether it is generated during the admission or in the audit process. It might also be standard/expected that events are emitted in the same namespace as the involved object.
https://pkg.go.dev/k8s.io/client-go/tools/record#EventRecorder
When there is no namespace (e.g. cluster resources) the event is emitted in the default namespace which is expected.
Which issue(s) this PR fixes:
fixes #2230
Signed-off-by: Craig Trought k8s@trought.ca