API Audit Logging #22
Comments
|
What's the current status of this? It's not clear to me who's working on what or what the next steps are. @soltysh came up with a working PR that has had a lot of feedback and discussion: kubernetes/kubernetes#27087 |
|
@amouat in the mentioned PR @soltysh introduces what we call "basic auditing", basically access.log-style logging only without any deeper api knowledge. To my knowledge mainly log-rotation is an open issue. kubernetes/kubernetes#29443 is the continuation by me and @soltysh describing more "advanced auditing" where the basic audit output would just be a special case. This feature issue is about the latter and will link to that proposal PR once it's more complete. |
|
Thanks! I have to say this process is very confusing. The discussion has moved from issue #2203, to PR #27087 to this issue and then to #29443, with no clear indication on each where the current discussion is happening, or what the next steps are :( Many thanks for you work on this though, I don't mean to sound ungrateful towards a great OS project. I just wanted to check that this issue was still moving forward. |
philips
added
team/SIG-API
sig/api-machinery
|
@soltysh @sttts Are the docs ready? Please update the docs to https://github.com/kubernetes/kubernetes.github.io, and then add PR numbers and have the docs box checked in the issue description |
|
@janetkuo this feature is postponed to 1.5, in 1.4 we only have kubernetes/kubernetes#27087 as a first step. Unfortunately, I lack the permissions to change the milestone. |
|
I've changed both the labels and milestone. Although it would be good to have at least the small part documented. I'll create a PR right away. |
|
Created kubernetes/website#1168 for the basic audit part. |
|
I added the alpha-in-1.4 label, as we got some of this done in 1.4. It might be a stretch to call it alpha, but I don't want to lose that we shipped some working pieces of this for 1.4. |
|
Yeah, the some is quite a stretch here, but I'm ok with it. |
|
Unfortunately this is stuck in alpha, no work has been done recently with it 😭 |
|
Maybe of interest to @kubernetes/sig-instrumentation ? |
|
hey guys - this is very important for us since we are planning to financial services application on k8s. I realize that this may take a while to make it in. I hope im not destroying the conversation here.. but what are people using today to do this kind of logging ? A lot of people use bastion hosts to run kubectl - are you guys logging commands on that server, etc ? it would be good to know some practical examples. |
|
@tallclair @x13n @CaoShuFeng -- |
|
@justaugustus yes this is in plans. PR is already in review: |
|
Thanks for the update! /remove-stage beta |
k8s-ci-robot
added
stage/stable
justaugustus
added
the
tracked/yes
|
Hey there! @roberthbailey I'm the wrangler for the Docs this release. Is there any chance I could have you open up a docs PR against the release-1.12 branch as a placeholder? That gives us more confidence in the feature shipping in this release and gives me something to work with when we start doing reviews/edits. Thanks! If this feature does not require docs, could you please update the features tracking spreadsheet to reflect it? |
|
@tallclair is the primary assignee; I just created the initial issue. |
|
@loburm @x13n @CaoShuFeng - Can one of you volunteer to own the v1.12 docs for this feature? |
I will do it. |
I found that these two pull requests need document: The dynamic audit documentation is here: kubernetes/website#9947 |
|
Thank you!
…On Tue, Aug 21, 2018 at 10:13 PM CaoShuFeng ***@***.***> wrote:
Can one of you volunteer to own the v1.12 docs for this feature?
I found that these two pull requests need document:
kubernetes/kubernetes#65862
<kubernetes/kubernetes#65862>
kubernetes/kubernetes#65763
<kubernetes/kubernetes#65763>
I will update the document
<kubernetes/website#9953> once they get merged.
The dynamic audit documentation is here: kubernetes/website#9947
<kubernetes/website#9947>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AE81SPi0lMeSJ3iqUIkvBoJhy9XZhtlBks5uTMxxgaJpZM4JK333>
.
|
|
@CaoShuFeng @tallclair -- |
|
The document is ready for review: kubernetes/website#9947 kubernetes/kubernetes#65763 not included yet. |
|
Thanks for the update! |
|
Dropping this from the milestone per the feedback here: kubernetes/website#9947 (comment) /milestone v1.13 |
justaugustus
removed
the
tracked/yes
|
As this has graduated to stable I'm going to close this feature (woohoo!) Future enhancements should be tracked as separate features (e.g. Dynamic Audit Configuration). Thanks to everyone who worked on this! 🎉 |
|
/milestone clear |
Automatic merge from submit-queue (batch tested with PRs 42042, 46139, 46126, 46258, 46312) Append X-Forwarded-For in proxy handler Append the request sender's IP to the `X-Forwarded-For` header chain when proxying requests. This is important for audit logging (kubernetes/enhancements#22) in order to capture the client IP (specifically in the case of federation or kube-aggregator). /cc @liggitt @deads2k @ericchiang @ihmccreery @soltysh Kubernetes-commit: 2b1b7f92cecaf2fa3c4b2e29a864d1407a1d406e
and others
API Audit Logging
The text was updated successfully, but these errors were encountered: