-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
USHIFT-2454: audit log configuration #3105
USHIFT-2454: audit log configuration #3105
Conversation
@copejon: This pull request references USHIFT-2454 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
c8b0bb0
to
8911fcc
Compare
apiVersion: audit.k8s.io/v1 | ||
kind: Policy | ||
metadata: | ||
name: Default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this hard-coded policy match the default in the library, or was it hand-crafted?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The generated default policy (sourced from OCP) includes a couple extra rules than the hardcoded policy and which are moot on MicroShift. Including the rules as their defined for an OCP cluster doesn't interfere with the kube-apiserver.
- This one would be applied to the
apiserver.openshift.io
group, which isn't installed on MicroShift.
- level: None
namespaces:
- ""
resources:
- group: apiserver.openshift.io
resources:
- apirequestcounts
- apirequestcounts/*
users:
- system:apiserver
- Same for this rule. The
user
andoauth
APIs aren't deployed on MicroShift.
- level: RequestResponse
resources:
- group: user.openshift.io
resources:
- identities
- group: oauth.openshift.io
resources:
- oauthaccesstokens
- oauthauthorizetokens
verbs:
- create
- update
- patch
- delete
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the new, generated Policy is superset (with the same values) of this hardcoded Police we're deleting?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right. The policies are sourced from embedded manifests in the vendored package. It's somewhat simple in that it has a base
manifest to which it appends different rules depending on the profile.
if err != nil { | ||
return nil, err | ||
} | ||
return ap.DeepCopy(), nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is DeepCopy
necessary? Looks like GetAuditPolicy
already copies base policy before editing just to return it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The way I understood the comment on audit.GetAuditPolicy, the prudent thing to do is deepcopy the returned value:
// Note: the returned policy must not be modifed by the caller prior to a deepcopy.
apiVersion: audit.k8s.io/v1 | ||
kind: Policy | ||
metadata: | ||
name: Default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the new, generated Policy is superset (with the same values) of this hardcoded Police we're deleting?
4ddf35c
to
0c9b22b
Compare
e639a65
to
a84cd37
Compare
// The URL and Port of the API server cannot be changed by the user. | ||
URL string `json:"-"` | ||
Port int `json:"-"` | ||
} | ||
|
||
type AuditLog struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would expect adding this would update the default config (packaging/microshift/config.yaml) and configs in docs (docs/user/howto_config.md)
@@ -371,7 +371,7 @@ func (c *TLSCertificateConfig) GetPEMBytes() ([]byte, []byte, error) { | |||
if err != nil { | |||
return nil, nil, err | |||
} | |||
keyBytes, err := EncodeKey(c.Key) | |||
keyBytes, err := encodeKey(c.Key) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How this change happened without updating go.mod?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good question, let me see
[Documentation] Setup audit | ||
${merged}= Extend MicroShift Config ${AUDIT_PROFILE} | ||
Upload MicroShift Config ${merged} | ||
Restart MicroShift |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if we should refresh the ${CURSOR} before restarting so that we look at more specific log span? Otherwise it seems to use CURSOR set up at the beginning of this suite. I don't think it functionally changes too much, but you know... correctness :P
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd done some messing around with that, but decided it belonged in a separate PR (adding new setup/teardown keywords and [setup][teardowns] per test). You're abs right though, it should refresh each test.
- "RequestReceived"`) | ||
|
||
func (s *KubeAPIServer) configureAuditPolicy(cfg *config.Config) error { | ||
p, err := apiserver.GetPolicy(cfg.ApiServer.AuditLog.Profile) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to validate this in the config package?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but I'm doubtful of the value there. Is the idea to catch breaking changes to the OpenShift policies?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You would get the validation also in show-config
command, so that any invalid values also signal the error and you dont need to wait until starting microshift.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah my bad, I see what you mean (thought you were referring to testing).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is not addressed yet? Otherwise the PR looks pretty good
/test microshift-metal-tests-arm |
One q about the generated default config in the docs, but otherwise looks good to me |
63dc0f8
to
dfc7c8c
Compare
c454ad4
to
256ca40
Compare
vendor/github.com/openshift/library-go/pkg/operator/resource/resourceread/config.go
Outdated
Show resolved
Hide resolved
256ca40
to
f920d82
Compare
Signed-off-by: Jon Cope <jcope@redhat.com>
f920d82
to
b008846
Compare
… invalid fields and report them as a whole so that repeated executions are not necessary to validate the auditlog config Signed-off-by: Jon Cope <jcope@redhat.com>
add entry to TestValidate table to verify auditLog apiserver flags (maxFiles,maxFileAge,maxFileSize) are checked correctly Signed-off-by: Jon Cope <jcope@redhat.com>
@copejon: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is lgtm for me, waiting on others reviews. When done I will label it if its not already there.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: copejon, pmtk The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
No description provided.