Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API Audit Logging #22

Closed
2 of 3 tasks
roberthbailey opened this issue Jul 12, 2016 · 49 comments
Closed
2 of 3 tasks

API Audit Logging #22

roberthbailey opened this issue Jul 12, 2016 · 49 comments
Assignees
Labels
sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status

Comments

@roberthbailey
Copy link
Contributor

roberthbailey commented Jul 12, 2016

API Audit Logging

@idvoretskyi idvoretskyi modified the milestone: v1.4 Jul 18, 2016
@amouat
Copy link

amouat commented Jul 26, 2016

What's the current status of this? It's not clear to me who's working on what or what the next steps are. @soltysh came up with a working PR that has had a lot of feedback and discussion: kubernetes/kubernetes#27087

@sttts
Copy link
Contributor

sttts commented Jul 26, 2016

@amouat in the mentioned PR @soltysh introduces what we call "basic auditing", basically access.log-style logging only without any deeper api knowledge. To my knowledge mainly log-rotation is an open issue.

kubernetes/kubernetes#29443 is the continuation by me and @soltysh describing more "advanced auditing" where the basic audit output would just be a special case. This feature issue is about the latter and will link to that proposal PR once it's more complete.

@amouat
Copy link

amouat commented Jul 26, 2016

Thanks!

I have to say this process is very confusing. The discussion has moved from issue #2203, to PR #27087 to this issue and then to #29443, with no clear indication on each where the current discussion is happening, or what the next steps are :(

Many thanks for you work on this though, I don't mean to sound ungrateful towards a great OS project. I just wanted to check that this issue was still moving forward.

@philips philips added team/SIG-API sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed team/SIG-API labels Aug 3, 2016
@janetkuo
Copy link
Member

janetkuo commented Sep 2, 2016

@soltysh @sttts Are the docs ready? Please update the docs to https://github.com/kubernetes/kubernetes.github.io, and then add PR numbers and have the docs box checked in the issue description

@sttts
Copy link
Contributor

sttts commented Sep 5, 2016

@janetkuo this feature is postponed to 1.5, in 1.4 we only have kubernetes/kubernetes#27087 as a first step. Unfortunately, I lack the permissions to change the milestone.

@soltysh soltysh modified the milestones: v1.5, v1.4 Sep 6, 2016
@soltysh
Copy link
Contributor

soltysh commented Sep 6, 2016

I've changed both the labels and milestone. Although it would be good to have at least the small part documented. I'll create a PR right away.

@soltysh
Copy link
Contributor

soltysh commented Sep 6, 2016

Created kubernetes/website#1168 for the basic audit part.

@goltermann
Copy link
Contributor

I added the alpha-in-1.4 label, as we got some of this done in 1.4. It might be a stretch to call it alpha, but I don't want to lose that we shipped some working pieces of this for 1.4.

@soltysh
Copy link
Contributor

soltysh commented Sep 6, 2016

Yeah, the some is quite a stretch here, but I'm ok with it.

@idvoretskyi
Copy link
Member

@soltysh @sttts can you provide the actual status of the feature for the 1.5 release (is it alpha, beta, etc)?

@soltysh
Copy link
Contributor

soltysh commented Nov 3, 2016

Unfortunately this is stuck in alpha, no work has been done recently with it 😭

@davidopp
Copy link
Member

davidopp commented Nov 3, 2016

Maybe of interest to @kubernetes/sig-instrumentation ?

@idvoretskyi
Copy link
Member

@soltysh @davidopp so, I'll target this one to the next milestone.

@sandys
Copy link

sandys commented Nov 29, 2016

hey guys - this is very important for us since we are planning to financial services application on k8s. I realize that this may take a while to make it in. I hope im not destroying the conversation here.. but what are people using today to do this kind of logging ?

A lot of people use bastion hosts to run kubectl - are you guys logging commands on that server, etc ? it would be good to know some practical examples.

@justaugustus
Copy link
Member

@tallclair @x13n @CaoShuFeng --
Feature Freeze is today. Are we planning on graduating this feature in Kubernetes 1.12?
If so, can you make sure everything is up-to-date, so I can include it on the 1.12 Feature tracking spreadsheet?

@loburm
Copy link

loburm commented Jul 31, 2018

@justaugustus yes this is in plans. PR is already in review:
kubernetes/kubernetes#65891

@justaugustus
Copy link
Member

Thanks for the update!

/remove-stage beta
/stage stable

@k8s-ci-robot k8s-ci-robot added stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status and removed stage/beta Denotes an issue tracking an enhancement targeted for Beta status labels Jul 31, 2018
@justaugustus justaugustus added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Jul 31, 2018
@zparnold
Copy link
Member

Hey there! @roberthbailey I'm the wrangler for the Docs this release. Is there any chance I could have you open up a docs PR against the release-1.12 branch as a placeholder? That gives us more confidence in the feature shipping in this release and gives me something to work with when we start doing reviews/edits. Thanks! If this feature does not require docs, could you please update the features tracking spreadsheet to reflect it?

@roberthbailey
Copy link
Contributor Author

@tallclair is the primary assignee; I just created the initial issue.

@tallclair
Copy link
Member

@loburm @x13n @CaoShuFeng - Can one of you volunteer to own the v1.12 docs for this feature?

@CaoShuFeng
Copy link
Contributor

Can one of you volunteer to own the v1.12 docs for this feature?

I will do it.

@CaoShuFeng
Copy link
Contributor

Can one of you volunteer to own the v1.12 docs for this feature?

I found that these two pull requests need document:
kubernetes/kubernetes#65862
kubernetes/kubernetes#65763
I will update the document once they get merged.

The dynamic audit documentation is here: kubernetes/website#9947

@zparnold
Copy link
Member

zparnold commented Aug 25, 2018 via email

@justaugustus
Copy link
Member

@CaoShuFeng @tallclair --
Any update on docs status for this feature? Are we still planning to land it for 1.12?
At this point, code freeze is upon us, and docs are due on 9/7 (2 days).
If we don't here anything back regarding this feature ASAP, we'll need to remove it from the milestone.

cc: @zparnold @jimangel @tfogo

@CaoShuFeng
Copy link
Contributor

CaoShuFeng commented Sep 6, 2018

The document is ready for review: kubernetes/website#9947

kubernetes/kubernetes#65763 not included yet.

@justaugustus
Copy link
Member

Thanks for the update!

@justaugustus
Copy link
Member

Dropping this from the milestone per the feedback here: kubernetes/website#9947 (comment)

/milestone v1.13

@k8s-ci-robot k8s-ci-robot modified the milestones: v1.12, v1.13 Sep 11, 2018
@justaugustus justaugustus removed the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Sep 11, 2018
@tallclair
Copy link
Member

tallclair commented Oct 5, 2018

As this has graduated to stable I'm going to close this feature (woohoo!)

Future enhancements should be tracked as separate features (e.g. Dynamic Audit Configuration).

Thanks to everyone who worked on this! 🎉

@kacole2
Copy link

kacole2 commented Oct 5, 2018

/milestone clear

@k8s-ci-robot k8s-ci-robot removed this from the v1.13 milestone Oct 5, 2018
brahmaroutu added a commit to brahmaroutu/enhancements that referenced this issue Aug 8, 2020
akhilerm pushed a commit to akhilerm/apimachinery that referenced this issue Sep 20, 2022
Automatic merge from submit-queue (batch tested with PRs 42042, 46139, 46126, 46258, 46312)

Append X-Forwarded-For in proxy handler

Append the request sender's IP to the `X-Forwarded-For` header chain when proxying requests. This is important for audit logging (kubernetes/enhancements#22) in order to capture the client IP (specifically in the case of federation or kube-aggregator).

/cc @liggitt @deads2k @ericchiang @ihmccreery @soltysh

Kubernetes-commit: 2b1b7f92cecaf2fa3c4b2e29a864d1407a1d406e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Projects
None yet
Development

No branches or pull requests