New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 2011375: templates: Silence audit events from container infra by default #2792
Bug 2011375: templates: Silence audit events from container infra by default #2792
Conversation
I was going to go add a check for "system has an AVC denial" but the problem today is that every time a container starts or stops *and* most notably liveness probes end up generating audit events. This very quickly rotates out audit events that we *do* care about. Outside of Kubernetes, workloads can be much more "static" and it makes sense for "iptables rules changed" to cause an audit event. For OpenShift, it doesn't make sense. Silence that and the promiscuous device one so that we can more easily read the audit logs captured from a CI run to verify there were no AVC denials. This will also be useful preparation for e.g. teaching the MCO do watch for some types of audit event (such as AVC) and bridge them to Prometheus metrics or so.
@openshift-cherrypick-robot: This pull request references Bugzilla bug 2011083, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@openshift-cherrypick-robot: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
this seems to need a 4.8 bz first. holding. |
Pending: #2793 |
/retitle Bug 2011375: templates: Silence audit events from container infra by default |
@openshift-cherrypick-robot: This pull request references Bugzilla bug 2011375, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/hold cancel |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: openshift-cherrypick-robot, sdodson The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
1 similar comment
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: openshift-cherrypick-robot, sdodson The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
4 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
@openshift-cherrypick-robot: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Most of those aws jobs are failing on /test e2e-aws |
@openshift-cherrypick-robot: All pull requests linked via external trackers have merged: Bugzilla bug 2011375 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is an automated cherry-pick of #2633
/assign kikisdeliveryservice