Skip to content

[enterprise-4.19] OSDOCS-18670 Fixes for MS security, auth, and node access CQA #108463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
openshift-cherrypick-robot wants to merge 1 commit into
base: enterprise-4.19
Choose a base branch
from
Open

[enterprise-4.19] OSDOCS-18670 Fixes for MS security, auth, and node access CQA #108463

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions microshift_configuring/microshift_auth_security/microshift-audit-logs-config.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,6 @@ You can control {microshift-short} audit log file rotation and retention by usin

include::modules/microshift-audit-logs-config-intro.adoc[leveloffset=+1]

// About audit log profiles; OCP module, edit with conditionals and care
include::modules/nodes-nodes-audit-config-about.adoc[leveloffset=+1]

include::modules/microshift-audit-logs-config-proc.adoc[leveloffset=+1]

include::modules/microshift-audit-logs-troubleshoot.adoc[leveloffset=+1]

[id="Additional-resources_audit-log-intro"]
.Additional resources

Expand All @@ -26,3 +19,10 @@ include::modules/microshift-audit-logs-troubleshoot.adoc[leveloffset=+1]
* link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/auditing-the-system_security-hardening#understanding-audit-log-files_auditing-the-system[Understanding Audit log files]

* link:https://access.redhat.com/solutions/1294[How to use logrotate utility to rotate log files (Solutions, dated 7 August 2024)]

// About audit log profiles; OCP module, edit with conditionals and care
include::modules/nodes-nodes-audit-config-about.adoc[leveloffset=+1]

include::modules/microshift-audit-logs-config-proc.adoc[leveloffset=+1]

include::modules/microshift-audit-logs-troubleshoot.adoc[leveloffset=+1]
8 changes: 4 additions & 4 deletions modules/microshift-audit-logs-config-proc.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,10 @@ apiServer:
+
where:

`apiserver.auditLog.maxFileAge`:: Specifies the maximum time in days that log files are kept. Files older than this limit are deleted. In this example, after a log file is more than 7 days old, it is deleted. The files are deleted regardless of whether or not the live log has reached the maximum file size specified in the `maxFileSize` field. File age is determined by the timestamp written in the name of the rotated log file, for example, `audit-2024-05-16T17-03-59.994.log`. When the value is `0`, the limit is disabled.
`apiserver.auditLog.maxFileSize`:: The maximum audit log file size in megabytes. In this example, the file is rotated as soon as the live log reaches the 200 MB limit. When the value is set to `0`, the limit is disabled.
`apiserver.auditLog.maxFiles`:: The maximum number of rotated audit log files retained. After the limit is reached, the log files are deleted in order from oldest to newest. In this example, the value `1` results in only 1 file of size `maxFileSize` being retained in addition to the current active log. When the value is set to `0`, the limit is disabled.
`apiserver.auditLog.profile`:: Logs only metadata for read and write requests; does not log request bodies except for OAuth access token requests. If you do not specify this field, the `Default` profile is used.
`apiServer.auditLog.maxFileAge`:: Specifies the maximum time in days that log files are kept. Files older than this limit are deleted. In this example, after a log file is more than 7 days old, it is deleted. The files are deleted regardless of whether or not the live log has reached the maximum file size specified in the `maxFileSize` field. File age is determined by the timestamp written in the name of the rotated log file, for example, `audit-2024-05-16T17-03-59.994.log`. When the value is `0`, the limit is disabled.
`apiServer.auditLog.maxFileSize`:: The maximum audit log file size in megabytes. In this example, the file is rotated as soon as the live log reaches the 200 MB limit. When the value is set to `0`, the limit is disabled.
`apiServer.auditLog.maxFiles`:: The maximum number of rotated audit log files retained. After the limit is reached, the log files are deleted in order from oldest to newest. In this example, the value `1` results in only 1 file of size `maxFileSize` being retained in addition to the current active log. When the value is set to `0`, the limit is disabled.
`apiServer.auditLog.profile`:: Logs only metadata for read and write requests; does not log request bodies except for OAuth access token requests. If you do not specify this field, the `Default` profile is used.

. Optional: To specify a new directory for logs, you can stop {microshift-short}, and then move the `/var/log/kube-apiserver` directory to your desired location:

Expand Down
6 changes: 3 additions & 3 deletions modules/microshift-custom-ca-proc.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,9 @@ apiServer:
+
where:

`apiserver.namedCertificates.certPath`:: Add the full path to the certificate.
`apiserver.namedCertificates.keyPath`:: Add the full path to the certificate key.
`apiserver.namedCertificates.names`:: Optional. Add a list of explicit DNS names. Leading wildcards are allowed. If no names are listed, the implicit names are extracted from the certificates.
`apiServer.namedCertificates.certPath`:: Add the full path to the certificate.
`apiServer.namedCertificates.keyPath`:: Add the full path to the certificate key.
`apiServer.namedCertificates.names`:: Optional. Add a list of explicit DNS names. Leading wildcards are allowed. If no names are listed, the implicit names are extracted from the certificates.

. Restart the {microshift-short} to apply the certificates by running the following command:
+
Expand Down
5 changes: 2 additions & 3 deletions modules/microshift-tls-config-proc.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,9 +46,8 @@ apiServer:
+
where:

`apiserver.tls.cipherSuites`:: Defaults to the suites of the configured `minVersion`. If `minVersion` is not configured, the default value is TLS 1.2.
`apiserver.tls.<cipher_suite_1>`:: Specify the cipher suites you want to use from the list of supported cipher suites. If you do not configure this list, all of the supported cipher suites are used. All clients connecting to the API server must support the configured cipher suites or the connections fail during the TLS handshake phase. Be sure to add the CA certificate bundle to the list of CA certificates that the TLS client or server trusts.
`apiserver.tls.minVersion`:: Specify `VersionTLS12` or `VersionTLS13`.
`apiServer.tls.cipherSuites`:: Defaults to the suites of the configured `minVersion`. If `minVersion` is not configured, the default value is TLS 1.2. You can specify the cipher suites you want to use from the list of supported cipher suites. All clients connecting to the API server must support the configured cipher suites or the connections fail during the TLS handshake phase. Be sure to add the CA certificate bundle to the list of CA certificates that the TLS client or server trusts.
`apiServer.tls.minVersion`:: Specify `VersionTLS12` or `VersionTLS13`.
+
[IMPORTANT]
====
Expand Down