Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
HOSTEDCP-839: Audit log sidecars for openshift-apiserver and openshif…
…t-oauth-apiserver This adds a tail sidecar container for the audit logs for the above deployments. It also plumbs the audit config into the two deployments and sets up the webhook configuration for audit logs. Fixes: HOSTEDCP-839
- Loading branch information
Showing
7 changed files
with
186 additions
and
76 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
70 changes: 9 additions & 61 deletions
70
control-plane-operator/controllers/hostedcontrolplane/oapi/auditcfg.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,84 +1,32 @@ | ||
package oapi | ||
|
||
import ( | ||
corev1 "k8s.io/api/core/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
auditv1 "k8s.io/apiserver/pkg/apis/audit/v1" | ||
"fmt" | ||
|
||
oauthv1 "github.com/openshift/api/oauth/v1" | ||
configv1 "github.com/openshift/api/config/v1" | ||
corev1 "k8s.io/api/core/v1" | ||
|
||
"github.com/openshift/hypershift/support/config" | ||
"github.com/openshift/library-go/pkg/operator/apiserver/audit" | ||
) | ||
|
||
const ( | ||
auditPolicyConfigMapKey = "policy.yaml" | ||
) | ||
|
||
func ReconcileAuditConfig(cm *corev1.ConfigMap, ownerRef config.OwnerRef) error { | ||
func ReconcileAuditConfig(cm *corev1.ConfigMap, ownerRef config.OwnerRef, auditConfig configv1.Audit) error { | ||
ownerRef.ApplyTo(cm) | ||
if cm.Data == nil { | ||
cm.Data = map[string]string{} | ||
} | ||
policy := defaultAuditPolicy() | ||
policy, err := audit.GetAuditPolicy(auditConfig) | ||
if err != nil { | ||
return fmt.Errorf("failed to get audit policy: %w", err) | ||
} | ||
policyBytes, err := config.SerializeAuditPolicy(policy) | ||
if err != nil { | ||
return err | ||
} | ||
cm.Data[auditPolicyConfigMapKey] = string(policyBytes) | ||
return nil | ||
} | ||
|
||
func defaultAuditPolicy() *auditv1.Policy { | ||
return &auditv1.Policy{ | ||
TypeMeta: metav1.TypeMeta{ | ||
Kind: "Policy", | ||
APIVersion: auditv1.SchemeGroupVersion.String(), | ||
}, | ||
OmitStages: []auditv1.Stage{ | ||
auditv1.StageRequestReceived, | ||
}, | ||
Rules: []auditv1.PolicyRule{ | ||
{ | ||
Level: auditv1.LevelNone, | ||
Resources: []auditv1.GroupResources{ | ||
{ | ||
Group: corev1.SchemeGroupVersion.Group, | ||
Resources: []string{ | ||
"events", | ||
}, | ||
}, | ||
}, | ||
}, | ||
{ | ||
Level: auditv1.LevelNone, | ||
Resources: []auditv1.GroupResources{ | ||
{ | ||
Group: oauthv1.SchemeGroupVersion.Group, | ||
Resources: []string{ | ||
"oauthaccesstokens", | ||
"oauthauthorizetokens", | ||
}, | ||
}, | ||
}, | ||
}, | ||
{ | ||
Level: auditv1.LevelNone, | ||
NonResourceURLs: []string{ | ||
"/api*", | ||
"/version", | ||
"/healthz", | ||
}, | ||
UserGroups: []string{ | ||
"system:authenticated", | ||
"system:unauthenticated", | ||
}, | ||
}, | ||
{ | ||
Level: auditv1.LevelMetadata, | ||
OmitStages: []auditv1.Stage{ | ||
auditv1.StageRequestReceived, | ||
}, | ||
}, | ||
}, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.