Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use admission webhooks as an alternative to audit logs #18

Closed
rohfle opened this issue Jun 4, 2018 · 5 comments
Closed

Use admission webhooks as an alternative to audit logs #18

rohfle opened this issue Jun 4, 2018 · 5 comments
Milestone
0.18.0

Comments

@rohfle
Copy link

rohfle commented Jun 4, 2018
edited
Loading

Currently auditing webhooks are difficult to use as they require configuration before kubernetes is started. There are plans to allow configuration of webhooks at runtime (maybe v1.12).

Audit logs require ssh access to the master and require manual collection.

And so, we are looking for other ways of collecting request information.

One possible way would be using Admission webhooks
https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites

An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.

Admission webhooks are HTTP callbacks that receive admission requests and do something with them.

An admission webhook that

  1. Records the request
  2. Responds immediately with OK
  3. Sends the request to apisnoop

could be something worth exploring
@hh
Copy link
Contributor

hh commented Jun 5, 2018
edited
Loading

The Nginx on our apisnoop test rig has been updated to proxy /audit to test-server.go.

The following should work on any kubernetes cluster that supports dynamic admission controller webhooks:

cat <<EOF | kubectl apply --validate=false -f -
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: apisnoop
webhooks:
- clientConfig:
    url: https://apisnoop.ii.coop/audit
  failurePolicy: Ignore
  name: apisnoop.ii.coop
  namespaceSelector: {}
  rules:
  - apiGroups:
    - '*'
    apiVersions:
    - '*'
    operations:
    - '*'
    resources:
    - '*'
EOF

Tomorrow we can see how much this differs from audit-logs to make it easier to contribute logs.

@hh
Copy link
Contributor

hh commented Jun 5, 2018

  • why do we have to use '--validate=false'
  • ensure we can create / enforce / GUID style urls for new captures
  • discuss where to store this data long term... a gce bucket?

@hh
Copy link
Contributor

hh commented Jul 15, 2018

Will table this for a while until the dust settles regarding dynamic audit logging: kubernetes/community#2188

This approach also doesn't yet support user-agent.

@hh hh closed this as completed Jul 15, 2018
@hh
Copy link
Contributor

hh commented Mar 6, 2019

We can probably implement this now, pulling into current cycle for prioritisation.

@hh hh reopened this Mar 6, 2019
@hh hh added the 0.18.0 label Mar 6, 2019
@hh hh added this to the 0.18.0 milestone Mar 6, 2019
@hh
Copy link
Contributor

hh commented Mar 6, 2019

Just realized this use of AdmissionWebhooks to create an audit trail is the conversation that prompted the creation of DynamicAuditSinks / webhooks.

@hh hh closed this as completed Mar 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.18.0
Development

No branches or pull requests
2 participants
@hh @rohfle