Bug 1878648: apiserver-audit: add secure-oauth-storage-* policies

pkg/operator/apiserver/audit/manifests/audit-policies-cm.yaml

@@ -135,4 +135,124 @@ data:
       - group: "oauth.openshift.io"
         resources: ["oauthclients"]
     # catch-all rule to log all other requests with request and response payloads
+    - level: RequestResponse
+
+  secure-oauth-storage-default.yaml: |
+    apiVersion: audit.k8s.io/v1beta1
+    kind: Policy
+    metadata:
+      name: Default
+    # Don't generate audit events for all requests in RequestReceived stage.
+    omitStages:
+    - "RequestReceived"
+    rules:
+    # Don't log requests for events
+    - level: None
+      resources:
+      - group: ""
+        resources: ["events"]
+    # Don't log authenticated requests to certain non-resource URL paths.
+    - level: None
+      userGroups: ["system:authenticated", "system:unauthenticated"]
+      nonResourceURLs:
+      - "/api*" # Wildcard matching.
+      - "/version"
+      - "/healthz"
+      - "/readyz"
+    # Log the full Identity API resource object so that the audit trail
+    # allows us to match the username with the IDP identity.
+    - level: RequestResponse
+      verbs: ["create", "update", "patch"]
+      resources:
+        - group: "user.openshift.io"
+          resources: ["identities"]
+        - group: "oauth.openshift.io"
+          resources: ["oauthaccesstokens", "oauthauthorizetokens"]
+    # A catch-all rule to log all other requests at the Metadata level.
+    - level: Metadata
+      # Long-running requests like watches that fall under this rule will not
+      # generate an audit event in RequestReceived.
+      omitStages:
+      - "RequestReceived"
+
+  secure-oauth-storage-writerequestbodies.yaml: |
+    apiVersion: audit.k8s.io/v1beta1
+    kind: Policy
+    metadata:
+      name: WriteRequestBodies
+    # Don't generate audit events for all requests in RequestReceived stage.
+    omitStages:
+    - "RequestReceived"
+    rules:
+    # Don't log requests for events
+    - level: None
+      resources:
+      - group: ""
+        resources: ["events"]
+    # Don't log authenticated requests to certain non-resource URL paths.
+    - level: None
+      userGroups: ["system:authenticated", "system:unauthenticated"]
+      nonResourceURLs:
+      - "/api*" # Wildcard matching.
+      - "/version"
+      - "/healthz"
+      - "/readyz"
+    # exclude resources where the body is security-sensitive
+    - level: Metadata
+      resources:
+      - group: "route.openshift.io"
+        resources: ["routes"]
+      - resources: ["secrets"]
+    - level: Metadata
+      resources:
+      - group: "oauth.openshift.io"
+        resources: ["oauthclients"]
+    # log request and response payloads for all write requests
+    - level: RequestResponse
+      verbs:
+      - update
+      - patch
+      - create
+      - delete
+      - deletecollection
+    # catch-all rule to log all other requests at the Metadata level.
+    - level: Metadata
+      # Long-running requests like watches that fall under this rule will not
+      # generate an audit event in RequestReceived.
+      omitStages:
+      - RequestReceived
+
+  secure-oauth-storage-allrequestbodies.yaml: |
+    apiVersion: audit.k8s.io/v1beta1
+    kind: Policy
+    metadata:
+      name: AllRequestBodies
+    # Don't generate audit events for all requests in RequestReceived stage.
+    omitStages:
+    - "RequestReceived"
+    rules:
+    # Don't log requests for events
+    - level: None
+      resources:
+      - group: ""
+        resources: ["events"]
+    # Don't log authenticated requests to certain non-resource URL paths.
+    - level: None
+      userGroups: ["system:authenticated", "system:unauthenticated"]
+      nonResourceURLs:
+      - "/api*" # Wildcard matching.
+      - "/version"
+      - "/healthz"
+      - "/readyz"
+    # exclude resources where the body is security-sensitive
+    - level: Metadata
+      resources:
+      - group: "route.openshift.io"
+        resources: ["routes"]
+      - resources: ["secrets"]
+    - level: Metadata
+      resources:
+      - group: "oauth.openshift.io"
+        resources: ["oauthclients"]
+    # catch-all rule to log all other requests with request and response payloads
     - level: RequestResponse

pkg/operator/apiserver/audit/testdata/audit-policies-cm-scenario-1.yaml

@@ -135,4 +135,124 @@ data:
       - group: "oauth.openshift.io"
         resources: ["oauthclients"]
     # catch-all rule to log all other requests with request and response payloads
+    - level: RequestResponse
+
+  secure-oauth-storage-default.yaml: |
+    apiVersion: audit.k8s.io/v1beta1
+    kind: Policy
+    metadata:
+      name: Default
+    # Don't generate audit events for all requests in RequestReceived stage.
+    omitStages:
+    - "RequestReceived"
+    rules:
+    # Don't log requests for events
+    - level: None
+      resources:
+      - group: ""
+        resources: ["events"]
+    # Don't log authenticated requests to certain non-resource URL paths.
+    - level: None
+      userGroups: ["system:authenticated", "system:unauthenticated"]
+      nonResourceURLs:
+      - "/api*" # Wildcard matching.
+      - "/version"
+      - "/healthz"
+      - "/readyz"
+    # Log the full Identity API resource object so that the audit trail
+    # allows us to match the username with the IDP identity.
+    - level: RequestResponse
+      verbs: ["create", "update", "patch"]
+      resources:
+        - group: "user.openshift.io"
+          resources: ["identities"]
+        - group: "oauth.openshift.io"
+          resources: ["oauthaccesstokens", "oauthauthorizetokens"]
+    # A catch-all rule to log all other requests at the Metadata level.
+    - level: Metadata
+      # Long-running requests like watches that fall under this rule will not
+      # generate an audit event in RequestReceived.
+      omitStages:
+      - "RequestReceived"
+
+  secure-oauth-storage-writerequestbodies.yaml: |
+    apiVersion: audit.k8s.io/v1beta1
+    kind: Policy
+    metadata:
+      name: WriteRequestBodies
+    # Don't generate audit events for all requests in RequestReceived stage.
+    omitStages:
+    - "RequestReceived"
+    rules:
+    # Don't log requests for events
+    - level: None
+      resources:
+      - group: ""
+        resources: ["events"]
+    # Don't log authenticated requests to certain non-resource URL paths.
+    - level: None
+      userGroups: ["system:authenticated", "system:unauthenticated"]
+      nonResourceURLs:
+      - "/api*" # Wildcard matching.
+      - "/version"
+      - "/healthz"
+      - "/readyz"
+    # exclude resources where the body is security-sensitive
+    - level: Metadata
+      resources:
+      - group: "route.openshift.io"
+        resources: ["routes"]
+      - resources: ["secrets"]
+    - level: Metadata
+      resources:
+      - group: "oauth.openshift.io"
+        resources: ["oauthclients"]
+    # log request and response payloads for all write requests
+    - level: RequestResponse
+      verbs:
+      - update
+      - patch
+      - create
+      - delete
+      - deletecollection
+    # catch-all rule to log all other requests at the Metadata level.
+    - level: Metadata
+      # Long-running requests like watches that fall under this rule will not
+      # generate an audit event in RequestReceived.
+      omitStages:
+      - RequestReceived
+
+  secure-oauth-storage-allrequestbodies.yaml: |
+    apiVersion: audit.k8s.io/v1beta1
+    kind: Policy
+    metadata:
+      name: AllRequestBodies
+    # Don't generate audit events for all requests in RequestReceived stage.
+    omitStages:
+    - "RequestReceived"
+    rules:
+    # Don't log requests for events
+    - level: None
+      resources:
+      - group: ""
+        resources: ["events"]
+    # Don't log authenticated requests to certain non-resource URL paths.
+    - level: None
+      userGroups: ["system:authenticated", "system:unauthenticated"]
+      nonResourceURLs:
+      - "/api*" # Wildcard matching.
+      - "/version"
+      - "/healthz"
+      - "/readyz"
+    # exclude resources where the body is security-sensitive
+    - level: Metadata
+      resources:
+      - group: "route.openshift.io"
+        resources: ["routes"]
+      - resources: ["secrets"]
+    - level: Metadata
+      resources:
+      - group: "oauth.openshift.io"
+        resources: ["oauthclients"]
+    # catch-all rule to log all other requests with request and response payloads
     - level: RequestResponse