Dynamic Audit Configuration

[pbarker]

Feature Description

• One-line feature description (can be used as a release note):
  Dynamic configuration of Audit facilities in the apiserver
• Primary contact (assignee):
  @pbarker
• Responsible SIGs:
  sig-auth
• KEP: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/0014-dynamic-audit-configuration.md
• Design proposal link (community repo):
  KEP: Dynamic Audit Configuration community#2188
  adds policy to dynamic audit kep community#2407
• Link to e2e and/or unit tests:
• Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred:
  @tallclair
  @liggitt
  @yliaog
  @caesarxuchao
• Approver (likely from SIG/area to which feature belongs):
  @tallclair
• Feature target (which target equals to which milestone):
  • Alpha release target (x.y)
    1.15
  • Beta release target (x.y)
    1.xx
  • Stable release target (x.y)
    1.xx

API PRs:

• Dynamic Audit to Beta kubernetes#73981
• Configurable Event Version in AuditSink kubernetes#73547

[pbarker]

/cc @tallclair
/sig auth

[pbarker]

/milestone v1.12

[justaugustus]

/kind feature
/stage alpha

[justaugustus]

/assign @pbarker

[zparnold]

Hey there! @pbarker I'm the wrangler for the Docs this release. Is there any chance I could have you open up a docs PR against the release-1.12 branch as a placeholder? That gives us more confidence in the feature shipping in this release and gives me something to work with when we start doing reviews/edits. Thanks! If this feature does not require docs, could you please update the features tracking spreadsheet to reflect it?

[pbarker]

@zparnold will do 👍 to be clear, do I write the docs there or is that something the docs folks do?

[zparnold]

You'll be writing the docs, and we'll be making sure that it matches our style and clarity. (Mostly because we may not understand the feature as well as you do at present.) If you need help, please just let me or @jimangel know

[pbarker]

ok here is the starter issue kubernetes/website#9947

[zparnold]

Thank you! I'll mark it on the FT spreadsheet!

…

On Mon, Aug 20, 2018 at 9:07 PM Patrick Barker ***@***.***> wrote: ok here is the starter issue kubernetes/website#9947 <kubernetes/website#9947> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#600 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AE81SELfIzplzIG3Xh8nq44M3EhHtsZDks5uS2t1gaJpZM4VnCpV> .

[justaugustus]

@pbarker --
Any update on docs status for this feature? Are we still planning to land it for 1.12?
At this point, code freeze is upon us, and docs are due on 9/7 (2 days).
If we don't here anything back regarding this feature ASAP, we'll need to remove it from the milestone.

cc: @zparnold @jimangel @tfogo

[pbarker]

@justaugustus unfortunately this one has gotten caught up in the review process and will not be making 1.12

[pbarker]

/milestone v1.13

[pbarker]

@justaugustus I don't have the power to change the milestone, but we'll be targeting 1.13

[liggitt]

/milestone v1.13

[justaugustus]

/milestone v1.13

[justaugustus]

(btw, pretty sure you have milestone powers here, @liggitt, but we hadn't turned the bot on until kubernetes/test-infra#9252 merged)

[tamalsaha]

@kacole2 , I believe @liggitt is the right person to contact on this feature. Please see his recent response kubernetes/kubernetes#71230 (comment)

My reading of @liggitt's comment is that this features is back to KEP phase.

[jeremyrickard]

Hey there @liggitt @pbarker -- 1.17 Enhancements shadow here 👋 . I wanted to check in and see if you think this Enhancement will be graduating to beta or new features will land in 1.17?

The current release schedule is:

• Monday, September 23 - Release Cycle Begins
• Tuesday, October 15, EOD PST - Enhancements Freeze
• Thursday, November 14, EOD PST - Code Freeze
• Tuesday, November 19 - Docs must be completed and reviewed
• Monday, December 9 - Kubernetes 1.17.0 Released

If you do, I'll add it to the 1.17 tracking sheet (https://bit.ly/k8s117-enhancements). Once coding begins please list all relevant k/k PRs in this issue so they can be tracked properly. 👍

Thanks!

[zetaab]

@pbarker @tallclair @liggitt what is status of this Enhancement? If I read previous comments it makes me feel is this feature going to beta at all? I see this feature very useful and would like to see it in beta. Could we push this forward and get this to 1.18?

There was already PR to make this enhancement to beta in 1.15 but it was closed. So could we just reopen it (and rebase)?

[tallclair]

I agree this feature needs a roadmap. I would say that at the moment, it's future is unknown. Can you share a little more about why you think it's useful, and how you plan to to use it?

[pbarker]

VMware bought Heptio and this got put on the back burner as we integrated. We are now coming back around to it with more resources and will probably begin work on it early next year.

[tamalsaha]

I have been quietly (well, I pinged pbarker a few times since he was working on it earlier this year.) following and waiting for this feature. We build a few k8s operators and we need this feature to do reliable and trusted usage-based-billing.

@tallclair , I thought you were working on it https://groups.google.com/forum/#!msg/kubernetes-sig-auth/Ha0C4cladCQ/JhAaOKBhFAAJ .

We don't have the resources to contribute to push code to upstream. But I would more than happy to contribute by reading design docs / KEPs . How can I do that?

[tallclair]

More eyes on designs & KEPs is definitely helpful. Watching this issue, attending sig-auth and the mailing list is probably the best way to keep up.

Unfortunately I don't have time to be actively working on this outside of design reviews.

[spiffxp]

My interest in seeing this go to beta is to get parity with the ability to update the config dynamically, as is supported today for admission webhooks (https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/).

For conformance we are currently unable to dynamically audit which components/tests are hitting which API endpoints without making a run around kubernetes, or setting the cluster up as such by default (which we're unable to do for hosted providers who don't expose alpha options). The goal would be to install a pod which registers itself as an audit webhook automagically, if installed by a user with sufficient privileges.

It's unclear to me whether PR's/KEP's like #1259 imply there is more done in refining the config before enabling dynamic configuration

[johnbelamaric]

@pbarker Enhancements shadow for 1.18 here. Are you targeting anything for this in 1.18? We need to track it if so. The release schedule is:

Monday, January 6th - Release Cycle Begins
Tuesday, January 28th EOD PST - Enhancements Freeze
Thursday, March 5th, EOD PST - Code Freeze
Monday, March 16th - Docs must be completed and reviewed
Tuesday, March 24th - Kubernetes 1.18.0 Released

[johnbelamaric]

Nothing planned for 1.18 per @liggitt

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[palnabarun]

/remove-lifecycle stale

[tallclair]

FYI, we'll be further discussing 2 potential paths forward for this feature at the next sig-auth meeting (2020-04-29):

1. Dynamic audit proxy webhook design
2. Dynamic webhook sinks with static policy

[harshanarayana]

Hey there @pbarker, 1.19 Enhancements shadow here. I wanted to check in and see if you think this Enhancement will be graduating in 1.19?

In order to have this part of the release:

1. The KEP PR must be merged in an implementable state
2. The KEP must have test plans
3. The KEP must have graduation criteria.

The current release schedule is:

• Monday, April 13: Week 1 - Release cycle begins
• Tuesday, May 19: Week 6 - Enhancements Freeze
• Thursday, June 25: Week 11 - Code Freeze
• Thursday, July 9: Week 14 - Docs must be completed and reviewed
• Tuesday, August 4: Week 17 - Kubernetes v1.19.0 released

If you do, I'll add it to the 1.19 tracking sheet (http://bit.ly/k8s-1-19-enhancements). Once coding begins please list all relevant k/k PRs in this issue so they can be tracked properly. 👍

Thanks!

[tallclair]

We're currently discussing the future of this feature in sig-auth, but no changes are planned for v1.19.

[harshanarayana]

@tallclair Thank you very much for following up. I've updated the tracking sheet accordingly. 👍

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[palnabarun]

/remove-lifecycle rotten

[liggitt]

This feature was removed in 1.19 (details in https://groups.google.com/g/kubernetes-sig-auth/c/aV_nXpa5uWU)