openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

OSDOCS-1801: Adding new audit policy options

Browse Source
This commit is contained in:
Andrea Hoffer
2021-08-25 15:49:44 -04:00
committed by openshift-cherrypick-robot
parent 0cc99e8426
commit d32e2b2632
5 changed files with 175 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
modules/nodes-nodes-audit-config-about.adoc
View File

@@ -9,7 +9,7 @@ Audit log profiles define how to log requests that come to the OpenShift API ser
{product-title} provides the following predefined audit policy profiles:
[cols="1,2",options="header"]
[cols="1,2a",options="header"]
|===
|Profile
|Description
@@ -22,6 +22,15 @@ Audit log profiles define how to log requests that come to the OpenShift API ser
|`AllRequestBodies`
|In addition to logging metadata for all requests, logs request bodies for every read and write request to the API servers (`get`, `list`, `create`, `update`, `patch`). This profile has the most resource overhead. ^[1]^
|`None`
|No requests are logged; even OAuth access token requests and OAuth authorize token requests are not logged.
[WARNING]
====
It is not recommended to disable audit logging by using the `None` profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue in order to troubleshoot properly.
====
|===
[.small]
--

73
modules/nodes-nodes-audit-policy-custom.adoc Normal file
View File

@@ -0,0 +1,73 @@
// Module included in the following assemblies:
//
// * security/audit-log-policy-config.adoc
[id="configuring-audit-policy-custom_{context}"]
= Configuring the audit log policy with custom rules
You can configure an audit log policy that defines custom rules. You can specify multiple groups and define which profile to use for that group.
These custom rules take precedence over the top-level profile field. The custom rules are evaluated from top to bottom, and the first that matches is applied.
.Prerequisites
* You have access to the cluster as a user with the `cluster-admin` role.
.Procedure
. Edit the `APIServer` resource:
+
[source,terminal]
----
$ oc edit apiserver cluster
----
. Add the `spec.audit.customRules` field:
+
[source,yaml]
----
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
...
spec:
audit:
customRules: <1>
- group: system:authenticated:oauth
profile: WriteRequestBodies
- group: system:authenticated
profile: AllRequestBodies
profile: Default <2>
----
<1> Add one or more groups and specify the profile to use for that group. These custom rules take precedence over the top-level profile field. The custom rules are evaluated from top to bottom, and the first that matches is applied.
<2> Set to `Default`, `WriteRequestBodies`, `AllRequestBodies`, or `None`. If you do not set this top-level `audit.profile` field, it defaults to the `Default` profile.
+
[WARNING]
====
It is not recommended to disable audit logging by using the `None` profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue in order to troubleshoot properly.
====
. Save the file to apply the changes.
.Verification
* Verify that a new revision of the Kubernetes API server pods is rolled out. It can take several minutes for all nodes to update to the new revision.
+
[source,terminal]
----
$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
----
+
Review the `NodeInstallerProgressing` status condition for the Kubernetes API server to verify that all nodes are at the latest revision. The output shows `AllNodesAtLatestRevision` upon successful update:
+
[source,terminal]
----
AllNodesAtLatestRevision
3 nodes are at revision 12 <1>
----
<1> In this example, the latest revision number is `12`.
+
If the output shows a message similar to one of the following messages, the update is still in progress. Wait a few minutes and try again.
** `3 nodes are at revision 11; 0 nodes have achieved new revision 12`
** `2 nodes are at revision 11; 1 nodes are at revision 12`

69
modules/nodes-nodes-audit-policy-disable.adoc Normal file
View File

@@ -0,0 +1,69 @@
// Module included in the following assemblies:
//
// * security/audit-log-policy-config.adoc
[id="configuring-audit-policy-disable_{context}"]
= Disabling audit logging
You can disable audit logging for {product-title}. When you disable audit logging, even OAuth access token requests and OAuth authorize token requests are not logged.
[WARNING]
====
It is not recommended to disable audit logging by using the `None` profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue in order to troubleshoot properly.
====
.Prerequisites
* You have access to the cluster as a user with the `cluster-admin` role.
.Procedure
. Edit the `APIServer` resource:
+
[source,terminal]
----
$ oc edit apiserver cluster
----
. Set the `spec.audit.profile` field to `None`:
+
[source,yaml]
----
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
...
spec:
audit:
profile: None
----
+
[NOTE]
====
You can also disable audit logging only for specific groups by specifying custom rules in the `spec.audit.customRules` field.
====
. Save the file to apply the changes.
.Verification
* Verify that a new revision of the Kubernetes API server pods is rolled out. It can take several minutes for all nodes to update to the new revision.
+
[source,terminal]
----
$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
----
+
Review the `NodeInstallerProgressing` status condition for the Kubernetes API server to verify that all nodes are at the latest revision. The output shows `AllNodesAtLatestRevision` upon successful update:
+
[source,terminal]
----
AllNodesAtLatestRevision
3 nodes are at revision 12 <1>
----
<1> In this example, the latest revision number is `12`.
+
If the output shows a message similar to one of the following messages, the update is still in progress. Wait a few minutes and try again.
** `3 nodes are at revision 11; 0 nodes have achieved new revision 12`
** `2 nodes are at revision 11; 1 nodes are at revision 12`

27
modules/nodes-nodes-audit-policy.adoc
View File

@@ -24,19 +24,26 @@ $ oc edit apiserver cluster
+
[source,yaml]
----
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
...
spec:
audit:
profile: WriteRequestBodies <1>
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
...
spec:
audit:
profile: WriteRequestBodies <1>
----
<1> Set to `Default`, `WriteRequestBodies`, or `AllRequestBodies`. The default profile is `Default`.
<1> Set to `Default`, `WriteRequestBodies`, `AllRequestBodies`, or `None`. The default profile is `Default`.
+
[WARNING]
====
It is not recommended to disable audit logging by using the `None` profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue in order to troubleshoot properly.
====
. Save the file to apply the changes.
. Verify that a new revision of the Kubernetes API server pods has rolled out. This will take several minutes.
.Verification
* Verify that a new revision of the Kubernetes API server pods is rolled out. It can take several minutes for all nodes to update to the new revision.
+
[source,terminal]
----
@@ -52,7 +59,7 @@ AllNodesAtLatestRevision
----
<1> In this example, the latest revision number is `12`.
+
If the output shows a message similar to one of the following, this means that the update is still in progress. Wait a few minutes and try again.
If the output shows a message similar to one of the following messages, the update is still in progress. Wait a few minutes and try again.
** `3 nodes are at revision 11; 0 nodes have achieved new revision 12`
** `2 nodes are at revision 11; 1 nodes are at revision 12`

6
security/audit-log-policy-config.adoc
View File

@@ -12,3 +12,9 @@ include::modules/nodes-nodes-audit-config-about.adoc[leveloffset=+1]
// Configuring the audit log policy
include::modules/nodes-nodes-audit-policy.adoc[leveloffset=+1]
// Configuring the audit log policy with custom rules
include::modules/nodes-nodes-audit-policy-custom.adoc[leveloffset=+1]
// Disabling audit logging
include::modules/nodes-nodes-audit-policy-disable.adoc[leveloffset=+1]