Comments (12)
@sttts the RFE doesnt sound like a on/off switch for audit logging.
Would it be possible to implement a profile, which turns off audit logging completely?
Thanks in advance!
from cluster-kube-apiserver-operator.
We will implement https://issues.redhat.com/browse/RFE-1448. That should solve the problem.
from cluster-kube-apiserver-operator.
@sttts many thanks to have created an evolution to add a less verbose custom profile by implementing an user requests profile.
I've got a question regarding how it works.
I've notice that k8s audit log policies are defined here https://github.com/openshift/library-go/blob/master/pkg/operator/apiserver/audit/manifests/audit-policies-cm.yaml as config map.
Is it possible to manually define a custom k8s policy as a config map and reference it in the spec.audit.profile
likes defined here https://docs.openshift.com/container-platform/4.6/security/audit-log-policy-config.html ?
from cluster-kube-apiserver-operator.
Like @Sifa171 said, I do not think that the RFE will respond to this request.
I am using the Default
profile which only log metada (metalevel ?) "Logs only metadata for read and write requests; does not log request bodies. This is the default policy."
I produce as much logs than in my first comment. My IO and CPU usage keep high.
With your new UserRequests
audit policy it will keep metadata and add user request level on user requests. Thus, size will increase a lot, IO and CPU usage will keep high.
Could you define a mechanism to allow a devops to define by himself Audit Policy to apply (by example, defining custom ConfigMap using specific annotation or label ...), or (if you do not want to give so much power) maybe only a User request without metadata, or a policy to disable all auditing, ... ?
Okd version: 4.6.0-0.okd-2021-02-14-205305
from cluster-kube-apiserver-operator.
@sttts many thanks to have created an evolution to add a less verbose custom profile by implementing an user requests profile.
I've got a question regarding how it works.
I've notice that k8s audit log policies are defined here https://github.com/openshift/library-go/blob/master/pkg/operator/apiserver/audit/manifests/audit-policies-cm.yaml as config map.
Is it possible to manually define a custom k8s policy as a config map and reference it in the
spec.audit.profile
likes defined here https://docs.openshift.com/container-platform/4.6/security/audit-log-policy-config.html ?
I reply to myself regarding adding custom policy.
oc
refuse to validate another profile name because an enum is used for defining type of audit profile.
https://github.com/openshift/api/blob/bb81baaf35cde6491ce29f0379815cad3e3d0948/config/v1/types_apiserver.go#L62
from cluster-kube-apiserver-operator.
Audit is defined here https://github.com/openshift/enhancements/blob/master/enhancements/kube-apiserver/audit-policy.md
from cluster-kube-apiserver-operator.
@sttts After digging I think that two audits mechanisms are running in parallel.
One from openshift-kube-api-server
and another one from openshift-apiserver
.
Your audit log policy Default
, WriteRequestBodies
and AllRequestBodies
apply for openshift-apiserver
and produce logs into /var/log/openshift-apiserver/
. The Default profile is fine because it does not produce a lot of log. (4MB after 2h30 running).
However, regarding openshift-kube-api-server
a lot of logs are produces into /var/log/kube-apiserver/
(650MB after 2h30 running).
The pod kube-apiserver-control-plane-0
in openshift-kube-apiserver
is setup to produce audit log.
I did not understand how to manage custom configuration from this sentence observed config (compare observed values above) spec.spec.unsupportedConfigOverrides from the kubeapiserveroperatorconfig.
in cluster-kube-apiserver-operator
.
So, why two audit mechanism running together ? Is it recommended to disable audit produces by openshift-kube-api-server
and how to do it ? (I did not find a way to do it). I tried to manage from the kube-apiserver-operator-xxxxxx
pod from openshift-kube-apiserver-operator
namespace without finding how to do it.
Okd version: 4.6.0-0.okd-2021-02-14-205305
from cluster-kube-apiserver-operator.
I manage to stop logging in /var/log/kube-apiserver
by
- execute
oc patch kubeapiserver cluster --type=merge -p '{"spec":{"unsupportedConfigOverrides":{"apiServerArguments":{"audit-log-path":[]}}}}'
- reboot node
Regards,
Damien
from cluster-kube-apiserver-operator.
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle stale
from cluster-kube-apiserver-operator.
Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle rotten
/remove-lifecycle stale
from cluster-kube-apiserver-operator.
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen
.
Mark the issue as fresh by commenting /remove-lifecycle rotten
.
Exclude this issue from closing again by commenting /lifecycle frozen
.
/close
from cluster-kube-apiserver-operator.
@openshift-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting
/reopen
.
Mark the issue as fresh by commenting/remove-lifecycle rotten
.
Exclude this issue from closing again by commenting/lifecycle frozen
./close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from cluster-kube-apiserver-operator.
Related Issues (20)
- Enable Kubernetes FeatureGate flags HOT 4
- aggregator-client-signer got inconsistent cert validity period HOT 4
- Allow runtime/default seccomp profile in the built-in SCCs HOT 9
- More details required for the error message. HOT 4
- kube-apiserver rollout too long HOT 5
- kube-apiserver has too much error installer pod HOT 4
- observedconfig of kubeapiserver operator HOT 4
- Skip generate cert when network config status.serviceNetwork is nil HOT 5
- Access to a privileged container allows for breakout to the underlying host HOT 2
- Future Release Branches Frozen For Merging | branch:release-4.17 HOT 2
- regenerate-certificates has too many CA's in csr-signer HOT 4
- How to update kube apiserver to point to a new file HOT 6
- The kube-apiserver pods can't resolve internal cluster DNS names. HOT 1
- How to change event-ttl of API Server HOT 2
- Use ServiceAccountToken volumes HOT 5
- you'll need metrics eventually. HOT 4
- outage calculation in upgrade looks incorrect. See HOT 4
- add TCP connection status label HOT 4
- kube-apiserver-cert-regeneration-controller in weird state HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cluster-kube-apiserver-operator.