Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSDOCS-9437: adds audit log config policies MicroShift #75233

Merged
merged 1 commit into from
May 21, 2024
Merged

OSDOCS-9437: adds audit log config policies MicroShift #75233

merged 1 commit into from
May 21, 2024
+209 −6

Conversation

ShaunaDiaz
Copy link
Contributor

@ShaunaDiaz ShaunaDiaz commented Apr 26, 2024
edited
Loading

Version(s):
4.16+

Issue:
OSDOCS-9437

Link to docs preview:
Customizing audit logs

QE review:

  • QE has approved this change.

SME review:

  • SME has approved this change.

Additional information:
Release note

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Apr 26, 2024
@openshift-ci-robot
Copy link

openshift-ci-robot commented Apr 26, 2024
edited by openshift-ci bot
Loading

@ShaunaDiaz: This pull request references OSDOCS-9437 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Version(s):
4.16+

Issue:
OSDOCS-9437

Link to docs preview:

QE review:

  • QE has approved this change.

Additional information:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Apr 26, 2024
@ocpdocs-previewbot
Copy link

ocpdocs-previewbot commented Apr 26, 2024
edited
Loading

🤖 Tue May 21 10:31:29 - Prow CI generated the docs preview:

https://75233--ocpdocs-pr.netlify.app/microshift/latest/microshift_configuring/microshift-audit-logs-config.html
https://75233--ocpdocs-pr.netlify.app/microshift/latest/microshift_configuring/microshift-using-config-tools.html
https://75233--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/audit-log-policy-config.html

@openshift-ci-robot
Copy link

openshift-ci-robot commented Apr 26, 2024
edited by openshift-ci bot
Loading

@ShaunaDiaz: This pull request references OSDOCS-9437 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Version(s):
4.16+

Issue:
OSDOCS-9437

Link to docs preview:
Customizing audit logs

QE review:

  • QE has approved this change.

Additional information:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ShaunaDiaz ShaunaDiaz changed the title OSDOCS-9437: adds custom audit log policies MicroShift [WIP] OSDOCS-9437: adds custom audit log policies MicroShift Apr 26, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 26, 2024
@ShaunaDiaz ShaunaDiaz added this to the Planned for 4.16 GA milestone May 10, 2024
@ShaunaDiaz ShaunaDiaz force-pushed the OSDOCS-9437 branch 3 times, most recently from 5774462 to a1928d8 Compare May 10, 2024 17:13
@openshift-ci openshift-ci bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 10, 2024
@ShaunaDiaz ShaunaDiaz mentioned this pull request May 13, 2024
Merged
1 task
@openshift-ci-robot
Copy link

openshift-ci-robot commented May 13, 2024
edited by openshift-ci bot
Loading

@ShaunaDiaz: This pull request references OSDOCS-9437 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Version(s):
4.16+

Issue:
OSDOCS-9437

Link to docs preview:
Customizing audit logs

QE review:

  • QE has approved this change.

Additional information:
Release note

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ShaunaDiaz ShaunaDiaz changed the title [WIP] OSDOCS-9437: adds custom audit log policies MicroShift OSDOCS-9437: adds custom audit log policies MicroShift May 13, 2024
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 13, 2024
@ShaunaDiaz
Copy link
Contributor Author

@kasturinarra Could you also PTAL at this one? TY!

@ShaunaDiaz
Copy link
Contributor Author

@gangwgr If you want to take a look also?

@gangwgr
Copy link

gangwgr commented May 14, 2024

@copejon have one query? for default size is 200Mb

why it is 100Mb shown here
sudo ls -ltrh /var/log/kube-apiserver/
total 358M
-rw-------. 1 root root 100M May 13 11:51 audit-2024-05-13T15-51-42.132.log
-rw-------. 1 root root 100M May 13 20:41 audit-2024-05-14T00-41-40.725.log
-rw-------. 1 root root 100M May 14 04:30 audit-2024-05-14T08-30-29.480.log
-rw-------. 1 root root 56M May 14 09:24 audit.log
[redhat@dhcp-1-235-245 ~]$ sudo rm audit.log





[7:00](https://redhat-internal.slack.com/archives/D03SQFGHYGK/p1715693429188309)
https://github.com/openshift/openshift-docs/pull/75233/files#diff-5c2cca3b817bccbe26d6a02cd9774a86d959085eaa03f5757817d76fa5573743R21
[7:04](https://redhat-internal.slack.com/archives/D03SQFGHYGK/p1715693645817859)
Added fake logs, it accepted 257Mb
ls -ltrh /var/log/kube-apiserver/
total 559M
-rw-------. 1 root root 100M May 13 11:51 audit-2024-05-13T15-51-42.132.log
-rw-------. 1 root root 100M May 13 20:41 audit-2024-05-14T00-41-40.725.log
-rw-------. 1 root root 100M May 14 04:30 audit-2024-05-14T08-30-29.480.log
-rw-------. 1 root root 257M May 14 09:31 audit-2024-05-14T13-32-11.567.log
-rw-------. 1 root root 1.1M May 14 09:33 audit.log

@gangwgr
Copy link

gangwgr commented May 15, 2024

@copejon I see in doc for writeRequestBodies, we only log for(create, update, patch, delete, deletecollection)not for \"verb\":\"get|list|watch\"
In addition to logging metadata for all requests, logs request bodies for every write request to the API servers (create, update, patch, delete, deletecollection). This profile has more resource overhead than the Default profile. [1]

I see some logs on 4.16.0~rc.1 while doing regression testing

@copejon
Copy link
Contributor

copejon commented May 15, 2024

Thanks @gangwgr I'll check it out

@jerpeter1 jerpeter1 mentioned this pull request May 16, 2024
Merged
copejon
copejon reviewed May 16, 2024
View reviewed changes
Copy link
Contributor

@copejon copejon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few notes, otherwise looks good!

_topic_maps/_topic_map_ms.yml Outdated Show resolved Hide resolved
modules/microshift-audit-logs-config-intro.adoc Outdated Show resolved Hide resolved
modules/microshift-audit-logs-config-proc.adoc Outdated Show resolved Hide resolved
modules/microshift-audit-logs-config-proc.adoc Outdated Show resolved Hide resolved
modules/microshift-audit-logs-config-proc.adoc Outdated Show resolved Hide resolved
@ShaunaDiaz ShaunaDiaz force-pushed the OSDOCS-9437 branch 2 times, most recently from e7894a4 to 4218cdd Compare May 17, 2024 14:31
@copejon
Copy link
Contributor

copejon commented May 17, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 17, 2024
@openshift-ci-robot
Copy link

openshift-ci-robot commented May 17, 2024
edited by openshift-ci bot
Loading

@ShaunaDiaz: This pull request references OSDOCS-9437 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set.

In response to this:

Version(s):
4.16+

Issue:
OSDOCS-9437

Link to docs preview:
Customizing audit logs

QE review:

  • QE has approved this change.

SME review:

  • SME has approved this change.

Additional information:
Release note

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@gangwgr
Copy link

gangwgr commented May 20, 2024

From doc side we are ok, only bug left as on that @copejon working on it.
/lgtm

@openshift-ci-robot
Copy link

openshift-ci-robot commented May 20, 2024
edited by openshift-ci bot
Loading

@ShaunaDiaz: This pull request references OSDOCS-9437 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set.

In response to this:

Version(s):
4.16+

Issue:
OSDOCS-9437

Link to docs preview:
Customizing audit logs

QE review:

  • QE has approved this change.

SME review:

  • SME has approved this change.

Additional information:
Release note

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ShaunaDiaz
Copy link
Contributor Author

/label peer-review-needed

@openshift-ci openshift-ci bot added the peer-review-needed Signifies that the peer review team needs to review this PR label May 20, 2024
@agantony
Copy link
Contributor

/label peer-review-in-progress

@openshift-ci openshift-ci bot added the peer-review-in-progress Signifies that the peer review team is reviewing this PR label May 20, 2024
agantony
agantony reviewed May 20, 2024
View reviewed changes
Copy link
Contributor

@agantony agantony left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a few comments for your consideration; overall lgtm!

microshift_configuring/microshift-audit-logs-config.adoc Outdated Show resolved Hide resolved
modules/microshift-audit-logs-config-intro.adoc Outdated Show resolved Hide resolved
modules/microshift-audit-logs-config-intro.adoc Outdated Show resolved Hide resolved
modules/microshift-audit-logs-config-intro.adoc Outdated Show resolved Hide resolved
modules/microshift-audit-logs-config-proc.adoc Outdated Show resolved Hide resolved
modules/microshift-config-yaml.adoc Outdated Show resolved Hide resolved
modules/nodes-nodes-audit-config-about.adoc Outdated Show resolved Hide resolved
modules/nodes-nodes-audit-config-about.adoc Outdated Show resolved Hide resolved
modules/nodes-nodes-audit-config-about.adoc Outdated Show resolved Hide resolved
modules/nodes-nodes-audit-config-about.adoc Outdated Show resolved Hide resolved
@agantony
Copy link
Contributor

/remove-label peer-review-in-progress
/remove-label peer-review-needed
/label peer-review-done

@openshift-ci openshift-ci bot added peer-review-done Signifies that the peer review team has reviewed this PR and removed peer-review-in-progress Signifies that the peer review team is reviewing this PR peer-review-needed Signifies that the peer review team needs to review this PR labels May 20, 2024
@ShaunaDiaz
Copy link
Contributor Author

@agantony Great review, thanks!

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label May 20, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 20, 2024

New changes are detected. LGTM label has been removed.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 21, 2024

@ShaunaDiaz: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@ShaunaDiaz ShaunaDiaz merged commit 5880156 into openshift:main May 21, 2024
3 checks passed
@ShaunaDiaz
Copy link
Contributor Author

/cherrypick enterprise-4.16

@openshift-cherrypick-robot
Copy link

@ShaunaDiaz: new pull request created: #76288

In response to this:

/cherrypick enterprise-4.16

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request May 21, 2024
Merged
@ShaunaDiaz ShaunaDiaz changed the title OSDOCS-9437: adds custom audit log policies MicroShift OSDOCS-9437: adds audit log config policies MicroShift May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@copejon copejon copejon left review comments

@agantony agantony agantony left review comments

@dhensel-rh dhensel-rh dhensel-rh left review comments

Assignees

@copejon copejon

@gangwgr gangwgr

Labels
branch/enterprise-4.16 jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. peer-review-done Signifies that the peer review team has reviewed this PR size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
OCP 4.16 GA
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@ShaunaDiaz @openshift-ci-robot @ocpdocs-previewbot @gangwgr @copejon @agantony @openshift-cherrypick-robot @dhensel-rh