Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release-4.8] Bug 2011083: templates: Silence audit events from container infra by default #2793

Conversation

openshift-cherrypick-robot

This is an automated cherry-pick of #2633

/assign kikisdeliveryservice

I was going to go add a check for "system has an AVC denial"
but the problem today is that every time a container starts or
stops *and* most notably liveness probes end up generating
audit events.

This very quickly rotates out audit events that we *do* care
about.

Outside of Kubernetes, workloads can be much more "static"
and it makes sense for "iptables rules changed" to cause an
audit event.  For OpenShift, it doesn't make sense.

Silence that and the promiscuous device one so that we can
more easily read the audit logs captured from a CI run to
verify there were no AVC denials.

This will also be useful preparation for e.g. teaching
the MCO do watch for some types of audit event (such as
AVC) and bridge them to Prometheus metrics or so.
@kikisdeliveryservice kikisdeliveryservice changed the title [release-4.8] templates: Silence audit events from container infra by default [release-4.8] Bug 2011083: templates: Silence audit events from container infra by default Oct 5, 2021
@openshift-ci openshift-ci bot added bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Oct 5, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 5, 2021

@openshift-cherrypick-robot: This pull request references Bugzilla bug 2011083, which is invalid:

  • expected the bug to target the "4.8.z" release, but it targets "---" instead
  • expected Bugzilla bug 2011083 to depend on a bug targeting a release in 4.9.0 and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

[release-4.8] Bug 2011083: templates: Silence audit events from container infra by default

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kikisdeliveryservice
Copy link
Contributor

/bugzilla refresh

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 5, 2021

@kikisdeliveryservice: This pull request references Bugzilla bug 2011083, which is invalid:

  • expected Bugzilla bug 2011083 to depend on a bug targeting a release in 4.9.0 and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 5, 2021
@kikisdeliveryservice
Copy link
Contributor

Hey Colin,

If you agree this should be backported to 4.8, please LGTM. We'll also need a BZ override as this was fixed in 4.9 without a BZ and 4.10 master already opened so I don't think we should do the BZ dance on this.

/assign @cgwalters

@sdodson sdodson added bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. and removed bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Oct 6, 2021
@cgwalters
Copy link
Member

Yep, this should be completely safe to backport.
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 6, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 6, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters, kikisdeliveryservice, openshift-cherrypick-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [kikisdeliveryservice]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-bot
Copy link
Contributor

/retest-required

Please review the full test history for this PR and help us cut down flakes.

2 similar comments
@openshift-bot
Copy link
Contributor

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@sdodson
Copy link
Member

sdodson commented Oct 6, 2021

/bugzilla refresh

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 6, 2021

@sdodson: This pull request references Bugzilla bug 2011083, which is valid.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.8.z) matches configured target release for branch (4.8.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
  • dependent bug Bugzilla bug 2011087 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
  • dependent Bugzilla bug 2011087 targets the "4.9.0" release, which is one of the valid target releases: 4.9.0
  • bug has dependents

Requesting review from QA contact:
/cc @jianzhangbjz

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-bot
Copy link
Contributor

/retest-required

Please review the full test history for this PR and help us cut down flakes.

1 similar comment
@openshift-bot
Copy link
Contributor

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 6, 2021

@openshift-cherrypick-robot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-metal-ipi-ovn-dualstack e41b6a6 link false /test e2e-metal-ipi-ovn-dualstack
ci/prow/e2e-metal-ipi e41b6a6 link false /test e2e-metal-ipi
ci/prow/okd-e2e-upgrade e41b6a6 link false /test okd-e2e-upgrade
ci/prow/okd-e2e-aws e41b6a6 link false /test okd-e2e-aws
ci/prow/e2e-vsphere-upgrade e41b6a6 link false /test e2e-vsphere-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@sdodson sdodson added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Oct 6, 2021
@sdodson
Copy link
Member

sdodson commented Oct 6, 2021

/override ci/prow/e2e-azure-upgrade

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 6, 2021

@sdodson: Overrode contexts on behalf of sdodson: ci/prow/e2e-azure-upgrade

In response to this:

/override ci/prow/e2e-azure-upgrade

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sdodson
Copy link
Member

sdodson commented Oct 6, 2021

That failure does not appear to be related to this change.

@openshift-merge-robot openshift-merge-robot merged commit 6b3b21b into openshift:release-4.8 Oct 6, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 6, 2021

@openshift-cherrypick-robot: All pull requests linked via external trackers have merged:

Bugzilla bug 2011083 has been moved to the MODIFIED state.

In response to this:

[release-4.8] Bug 2011083: templates: Silence audit events from container infra by default

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants