[Audit log policy profiles] Could you add a profile or other mechanism to disable audit logging about cluster-kube-apiserver-operator HOT 12 CLOSED

@sttts the RFE doesnt sound like a on/off switch for audit logging.
Would it be possible to implement a profile, which turns off audit logging completely?
Thanks in advance!

from cluster-kube-apiserver-operator.

We will implement https://issues.redhat.com/browse/RFE-1448. That should solve the problem.

from cluster-kube-apiserver-operator.

@sttts many thanks to have created an evolution to add a less verbose custom profile by implementing an user requests profile.

I've got a question regarding how it works.

I've notice that k8s audit log policies are defined here https://github.com/openshift/library-go/blob/master/pkg/operator/apiserver/audit/manifests/audit-policies-cm.yaml as config map.

Is it possible to manually define a custom k8s policy as a config map and reference it in the spec.audit.profile likes defined here https://docs.openshift.com/container-platform/4.6/security/audit-log-policy-config.html ?

from cluster-kube-apiserver-operator.

Like @Sifa171 said, I do not think that the RFE will respond to this request.

I am using the Default profile which only log metada (metalevel ?) "Logs only metadata for read and write requests; does not log request bodies. This is the default policy."

I produce as much logs than in my first comment. My IO and CPU usage keep high.

With your new UserRequests audit policy it will keep metadata and add user request level on user requests. Thus, size will increase a lot, IO and CPU usage will keep high.

Could you define a mechanism to allow a devops to define by himself Audit Policy to apply (by example, defining custom ConfigMap using specific annotation or label ...), or (if you do not want to give so much power) maybe only a User request without metadata, or a policy to disable all auditing, ... ?

Okd version: 4.6.0-0.okd-2021-02-14-205305

from cluster-kube-apiserver-operator.

@sttts many thanks to have created an evolution to add a less verbose custom profile by implementing an user requests profile.

I've got a question regarding how it works.

I've notice that k8s audit log policies are defined here https://github.com/openshift/library-go/blob/master/pkg/operator/apiserver/audit/manifests/audit-policies-cm.yaml as config map.

Is it possible to manually define a custom k8s policy as a config map and reference it in the spec.audit.profile likes defined here https://docs.openshift.com/container-platform/4.6/security/audit-log-policy-config.html ?

I reply to myself regarding adding custom policy.
oc refuse to validate another profile name because an enum is used for defining type of audit profile.
https://github.com/openshift/api/blob/bb81baaf35cde6491ce29f0379815cad3e3d0948/config/v1/types_apiserver.go#L62

from cluster-kube-apiserver-operator.

Audit is defined here https://github.com/openshift/enhancements/blob/master/enhancements/kube-apiserver/audit-policy.md

from cluster-kube-apiserver-operator.

@sttts After digging I think that two audits mechanisms are running in parallel.

One from openshift-kube-api-server and another one from openshift-apiserver.

Your audit log policy Default, WriteRequestBodies and AllRequestBodies apply for openshift-apiserver and produce logs into /var/log/openshift-apiserver/. The Default profile is fine because it does not produce a lot of log. (4MB after 2h30 running).

However, regarding openshift-kube-api-server a lot of logs are produces into /var/log/kube-apiserver/ (650MB after 2h30 running).
The pod kube-apiserver-control-plane-0 in openshift-kube-apiserver is setup to produce audit log.
I did not understand how to manage custom configuration from this sentence observed config (compare observed values above) spec.spec.unsupportedConfigOverrides from the kubeapiserveroperatorconfig. in cluster-kube-apiserver-operator.

So, why two audit mechanism running together ? Is it recommended to disable audit produces by openshift-kube-api-server and how to do it ? (I did not find a way to do it). I tried to manage from the kube-apiserver-operator-xxxxxx pod from openshift-kube-apiserver-operator namespace without finding how to do it.

Okd version: 4.6.0-0.okd-2021-02-14-205305

from cluster-kube-apiserver-operator.

I manage to stop logging in /var/log/kube-apiserver by

1. execute oc patch kubeapiserver cluster --type=merge -p '{"spec":{"unsupportedConfigOverrides":{"apiServerArguments":{"audit-log-path":[]}}}}'
2. reboot node

Regards,

Damien

from cluster-kube-apiserver-operator.

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

from cluster-kube-apiserver-operator.

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

from cluster-kube-apiserver-operator.

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

from cluster-kube-apiserver-operator.

@openshift-bot: Closing this issue.

from cluster-kube-apiserver-operator.