USHIFT-2454: audit log configuration #3105
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@copejon: This pull request references USHIFT-2454 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci
bot
added
the
approved
copejon
force-pushed
the
ushift-2454-audit-log-config
branch
3 times, most recently
from
c8b0bb0
to
8911fcc
Compare
openshift-merge-robot
added
the
needs-rebase
| apiVersion: audit.k8s.io/v1 | ||
| kind: Policy | ||
| metadata: | ||
| name: Default |
There was a problem hiding this comment.
Does this hard-coded policy match the default in the library, or was it hand-crafted?
There was a problem hiding this comment.
The generated default policy (sourced from OCP) includes a couple extra rules than the hardcoded policy and which are moot on MicroShift. Including the rules as their defined for an OCP cluster doesn't interfere with the kube-apiserver.
- This one would be applied to the
apiserver.openshift.iogroup, which isn't installed on MicroShift.
- level: None
namespaces:
- ""
resources:
- group: apiserver.openshift.io
resources:
- apirequestcounts
- apirequestcounts/*
users:
- system:apiserver- Same for this rule. The
userandoauthAPIs aren't deployed on MicroShift.
- level: RequestResponse
resources:
- group: user.openshift.io
resources:
- identities
- group: oauth.openshift.io
resources:
- oauthaccesstokens
- oauthauthorizetokens
verbs:
- create
- update
- patch
- delete
There was a problem hiding this comment.
So the new, generated Policy is superset (with the same values) of this hardcoded Police we're deleting?
There was a problem hiding this comment.
Right. The policies are sourced from embedded manifests in the vendored package. It's somewhat simple in that it has a base manifest to which it appends different rules depending on the profile.
| if err != nil { | ||
| return nil, err | ||
| } | ||
| return ap.DeepCopy(), nil |
There was a problem hiding this comment.
Is DeepCopy necessary? Looks like GetAuditPolicy already copies base policy before editing just to return it.
There was a problem hiding this comment.
The way I understood the comment on audit.GetAuditPolicy, the prudent thing to do is deepcopy the returned value:
// Note: the returned policy must not be modifed by the caller prior to a deepcopy.
| apiVersion: audit.k8s.io/v1 | ||
| kind: Policy | ||
| metadata: | ||
| name: Default |
There was a problem hiding this comment.
So the new, generated Policy is superset (with the same values) of this hardcoded Police we're deleting?
copejon
force-pushed
the
ushift-2454-audit-log-config
branch
from
4ddf35c
to
0c9b22b
Compare
openshift-merge-robot
removed
the
needs-rebase
copejon
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
copejon
force-pushed
the
ushift-2454-audit-log-config
branch
4 times, most recently
from
e639a65
to
a84cd37
Compare
| // The URL and Port of the API server cannot be changed by the user. | ||
| URL string `json:"-"` | ||
| Port int `json:"-"` | ||
| } | ||
|
|
||
| type AuditLog struct { |
There was a problem hiding this comment.
I would expect adding this would update the default config (packaging/microshift/config.yaml) and configs in docs (docs/user/howto_config.md)
| @@ -371,7 +371,7 @@ func (c *TLSCertificateConfig) GetPEMBytes() ([]byte, []byte, error) { | |||
| if err != nil { | |||
| return nil, nil, err | |||
| } | |||
| keyBytes, err := EncodeKey(c.Key) | |||
| keyBytes, err := encodeKey(c.Key) | |||
There was a problem hiding this comment.
How this change happened without updating go.mod?
There was a problem hiding this comment.
good question, let me see
| [Documentation] Setup audit | ||
| ${merged}= Extend MicroShift Config ${AUDIT_PROFILE} | ||
| Upload MicroShift Config ${merged} | ||
| Restart MicroShift |
There was a problem hiding this comment.
I'm wondering if we should refresh the ${CURSOR} before restarting so that we look at more specific log span? Otherwise it seems to use CURSOR set up at the beginning of this suite. I don't think it functionally changes too much, but you know... correctness :P
There was a problem hiding this comment.
I'd done some messing around with that, but decided it belonged in a separate PR (adding new setup/teardown keywords and [setup][teardowns] per test). You're abs right though, it should refresh each test.
| - "RequestReceived"`) | ||
|
|
||
| func (s *KubeAPIServer) configureAuditPolicy(cfg *config.Config) error { | ||
| p, err := apiserver.GetPolicy(cfg.ApiServer.AuditLog.Profile) |
There was a problem hiding this comment.
Would it be possible to validate this in the config package?
There was a problem hiding this comment.
Yes, but I'm doubtful of the value there. Is the idea to catch breaking changes to the OpenShift policies?
There was a problem hiding this comment.
You would get the validation also in show-config command, so that any invalid values also signal the error and you dont need to wait until starting microshift.
There was a problem hiding this comment.
Ah my bad, I see what you mean (thought you were referring to testing).
There was a problem hiding this comment.
I think this is not addressed yet? Otherwise the PR looks pretty good
|
/test microshift-metal-tests-arm |
|
One q about the generated default config in the docs, but otherwise looks good to me |
openshift-merge-robot
added
the
needs-rebase
copejon
force-pushed
the
ushift-2454-audit-log-config
branch
from
63dc0f8
to
dfc7c8c
Compare
openshift-merge-robot
removed
the
needs-rebase
copejon
force-pushed
the
ushift-2454-audit-log-config
branch
2 times, most recently
from
c454ad4
to
256ca40
Compare
vendor/github.com/openshift/library-go/pkg/operator/resource/resourceread/config.go
Outdated
Show resolved
Hide resolved
copejon
force-pushed
the
ushift-2454-audit-log-config
branch
from
256ca40
to
f920d82
Compare
Signed-off-by: Jon Cope <jcope@redhat.com>
copejon
force-pushed
the
ushift-2454-audit-log-config
branch
from
f920d82
to
b008846
Compare
… invalid fields and report them as a whole so that repeated executions are not necessary to validate the auditlog config Signed-off-by: Jon Cope <jcope@redhat.com>
add entry to TestValidate table to verify auditLog apiserver flags (maxFiles,maxFileAge,maxFileSize) are checked correctly Signed-off-by: Jon Cope <jcope@redhat.com>
|
@copejon: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: copejon, pmtk The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
No description provided.