diff --git a/modules/nodes-nodes-audit-config-about.adoc b/modules/nodes-nodes-audit-config-about.adoc index ec171d91ee..5e3be6f987 100644 --- a/modules/nodes-nodes-audit-config-about.adoc +++ b/modules/nodes-nodes-audit-config-about.adoc @@ -9,7 +9,7 @@ Audit log profiles define how to log requests that come to the OpenShift API ser {product-title} provides the following predefined audit policy profiles: -[cols="1,2",options="header"] +[cols="1,2a",options="header"] |=== |Profile |Description @@ -22,6 +22,15 @@ Audit log profiles define how to log requests that come to the OpenShift API ser |`AllRequestBodies` |In addition to logging metadata for all requests, logs request bodies for every read and write request to the API servers (`get`, `list`, `create`, `update`, `patch`). This profile has the most resource overhead. ^[1]^ + +|`None` +|No requests are logged; even OAuth access token requests and OAuth authorize token requests are not logged. + +[WARNING] +==== +It is not recommended to disable audit logging by using the `None` profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue in order to troubleshoot properly. +==== + |=== [.small] -- diff --git a/modules/nodes-nodes-audit-policy-custom.adoc b/modules/nodes-nodes-audit-policy-custom.adoc new file mode 100644 index 0000000000..42b6fe2c4b --- /dev/null +++ b/modules/nodes-nodes-audit-policy-custom.adoc @@ -0,0 +1,73 @@ +// Module included in the following assemblies: +// +// * security/audit-log-policy-config.adoc + +[id="configuring-audit-policy-custom_{context}"] += Configuring the audit log policy with custom rules + +You can configure an audit log policy that defines custom rules. You can specify multiple groups and define which profile to use for that group. + +These custom rules take precedence over the top-level profile field. The custom rules are evaluated from top to bottom, and the first that matches is applied. + +.Prerequisites + +* You have access to the cluster as a user with the `cluster-admin` role. + +.Procedure + +. Edit the `APIServer` resource: ++ +[source,terminal] +---- +$ oc edit apiserver cluster +---- + +. Add the `spec.audit.customRules` field: ++ +[source,yaml] +---- +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: +... +spec: + audit: + customRules: <1> + - group: system:authenticated:oauth + profile: WriteRequestBodies + - group: system:authenticated + profile: AllRequestBodies + profile: Default <2> +---- +<1> Add one or more groups and specify the profile to use for that group. These custom rules take precedence over the top-level profile field. The custom rules are evaluated from top to bottom, and the first that matches is applied. +<2> Set to `Default`, `WriteRequestBodies`, `AllRequestBodies`, or `None`. If you do not set this top-level `audit.profile` field, it defaults to the `Default` profile. ++ +[WARNING] +==== +It is not recommended to disable audit logging by using the `None` profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue in order to troubleshoot properly. +==== + +. Save the file to apply the changes. + +.Verification + +* Verify that a new revision of the Kubernetes API server pods is rolled out. It can take several minutes for all nodes to update to the new revision. ++ +[source,terminal] +---- +$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}' +---- ++ +Review the `NodeInstallerProgressing` status condition for the Kubernetes API server to verify that all nodes are at the latest revision. The output shows `AllNodesAtLatestRevision` upon successful update: ++ +[source,terminal] +---- +AllNodesAtLatestRevision +3 nodes are at revision 12 <1> +---- +<1> In this example, the latest revision number is `12`. ++ +If the output shows a message similar to one of the following messages, the update is still in progress. Wait a few minutes and try again. + +** `3 nodes are at revision 11; 0 nodes have achieved new revision 12` +** `2 nodes are at revision 11; 1 nodes are at revision 12` diff --git a/modules/nodes-nodes-audit-policy-disable.adoc b/modules/nodes-nodes-audit-policy-disable.adoc new file mode 100644 index 0000000000..36708f442c --- /dev/null +++ b/modules/nodes-nodes-audit-policy-disable.adoc @@ -0,0 +1,69 @@ +// Module included in the following assemblies: +// +// * security/audit-log-policy-config.adoc + +[id="configuring-audit-policy-disable_{context}"] += Disabling audit logging + +You can disable audit logging for {product-title}. When you disable audit logging, even OAuth access token requests and OAuth authorize token requests are not logged. + +[WARNING] +==== +It is not recommended to disable audit logging by using the `None` profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue in order to troubleshoot properly. +==== + +.Prerequisites + +* You have access to the cluster as a user with the `cluster-admin` role. + +.Procedure + +. Edit the `APIServer` resource: ++ +[source,terminal] +---- +$ oc edit apiserver cluster +---- + +. Set the `spec.audit.profile` field to `None`: ++ +[source,yaml] +---- +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: +... +spec: + audit: + profile: None +---- ++ +[NOTE] +==== +You can also disable audit logging only for specific groups by specifying custom rules in the `spec.audit.customRules` field. +==== + +. Save the file to apply the changes. + +.Verification + +* Verify that a new revision of the Kubernetes API server pods is rolled out. It can take several minutes for all nodes to update to the new revision. ++ +[source,terminal] +---- +$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}' +---- ++ +Review the `NodeInstallerProgressing` status condition for the Kubernetes API server to verify that all nodes are at the latest revision. The output shows `AllNodesAtLatestRevision` upon successful update: ++ +[source,terminal] +---- +AllNodesAtLatestRevision +3 nodes are at revision 12 <1> +---- +<1> In this example, the latest revision number is `12`. ++ +If the output shows a message similar to one of the following messages, the update is still in progress. Wait a few minutes and try again. + +** `3 nodes are at revision 11; 0 nodes have achieved new revision 12` +** `2 nodes are at revision 11; 1 nodes are at revision 12` diff --git a/modules/nodes-nodes-audit-policy.adoc b/modules/nodes-nodes-audit-policy.adoc index 1f3c7a8103..fd5ee82fdb 100644 --- a/modules/nodes-nodes-audit-policy.adoc +++ b/modules/nodes-nodes-audit-policy.adoc @@ -24,19 +24,26 @@ $ oc edit apiserver cluster + [source,yaml] ---- - apiVersion: config.openshift.io/v1 - kind: APIServer - metadata: - ... - spec: - audit: - profile: WriteRequestBodies <1> +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: +... +spec: + audit: + profile: WriteRequestBodies <1> ---- -<1> Set to `Default`, `WriteRequestBodies`, or `AllRequestBodies`. The default profile is `Default`. +<1> Set to `Default`, `WriteRequestBodies`, `AllRequestBodies`, or `None`. The default profile is `Default`. ++ +[WARNING] +==== +It is not recommended to disable audit logging by using the `None` profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue in order to troubleshoot properly. +==== . Save the file to apply the changes. -. Verify that a new revision of the Kubernetes API server pods has rolled out. This will take several minutes. +.Verification + +* Verify that a new revision of the Kubernetes API server pods is rolled out. It can take several minutes for all nodes to update to the new revision. + [source,terminal] ---- @@ -52,7 +59,7 @@ AllNodesAtLatestRevision ---- <1> In this example, the latest revision number is `12`. + -If the output shows a message similar to one of the following, this means that the update is still in progress. Wait a few minutes and try again. +If the output shows a message similar to one of the following messages, the update is still in progress. Wait a few minutes and try again. ** `3 nodes are at revision 11; 0 nodes have achieved new revision 12` ** `2 nodes are at revision 11; 1 nodes are at revision 12` diff --git a/security/audit-log-policy-config.adoc b/security/audit-log-policy-config.adoc index b5140dfc8c..42e08791c5 100644 --- a/security/audit-log-policy-config.adoc +++ b/security/audit-log-policy-config.adoc @@ -12,3 +12,9 @@ include::modules/nodes-nodes-audit-config-about.adoc[leveloffset=+1] // Configuring the audit log policy include::modules/nodes-nodes-audit-policy.adoc[leveloffset=+1] + +// Configuring the audit log policy with custom rules +include::modules/nodes-nodes-audit-policy-custom.adoc[leveloffset=+1] + +// Disabling audit logging +include::modules/nodes-nodes-audit-policy-disable.adoc[leveloffset=+1]