This repository has been archived by the owner on Mar 2, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add audit logging support with a default logging policy
Enable Kubernetes API audit logging with a default logging policy. When desired, users can provide their custom audit policy rules using an ansible variable. Fixes #138 Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
- Loading branch information
Showing
5 changed files
with
346 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
162 changes: 162 additions & 0 deletions
162
ansible/roles/kubernetes-common/templates/etc/kubernetes/apiserver-audit-policy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,162 @@ | ||
apiVersion: audit.k8s.io/v1beta1 | ||
kind: Policy | ||
rules: | ||
{% if kubernetes_common_audit_policy_rules is defined and kubernetes_common_audit_policy_rules != "" %} | ||
{{ kubernetes_common_audit_policy_rules | indent(2, true) }} | ||
{% else %} | ||
# Default rules obtained from https://github.com/kubernetes/kubernetes/blob/v1.13.5/cluster/gce/gci/configure-helper.sh#L752 | ||
# The following requests were manually identified as high-volume and low-risk, | ||
# so drop them. | ||
- level: None | ||
users: ["system:kube-proxy"] | ||
verbs: ["watch"] | ||
resources: | ||
- group: "" # core | ||
resources: ["endpoints", "services", "services/status"] | ||
- level: None | ||
# Ingress controller reads 'configmaps/ingress-uid' through the unsecured port. | ||
# TODO(#46983): Change this to the ingress controller service account. | ||
users: ["system:unsecured"] | ||
namespaces: ["kube-system"] | ||
verbs: ["get"] | ||
resources: | ||
- group: "" # core | ||
resources: ["configmaps"] | ||
- level: None | ||
users: ["kubelet"] # legacy kubelet identity | ||
verbs: ["get"] | ||
resources: | ||
- group: "" # core | ||
resources: ["nodes", "nodes/status"] | ||
- level: None | ||
userGroups: ["system:nodes"] | ||
verbs: ["get"] | ||
resources: | ||
- group: "" # core | ||
resources: ["nodes", "nodes/status"] | ||
- level: None | ||
users: | ||
- system:kube-controller-manager | ||
- system:kube-scheduler | ||
- system:serviceaccount:kube-system:endpoint-controller | ||
verbs: ["get", "update"] | ||
namespaces: ["kube-system"] | ||
resources: | ||
- group: "" # core | ||
resources: ["endpoints"] | ||
- level: None | ||
users: ["system:apiserver"] | ||
verbs: ["get"] | ||
resources: | ||
- group: "" # core | ||
resources: ["namespaces", "namespaces/status", "namespaces/finalize"] | ||
- level: None | ||
users: ["cluster-autoscaler"] | ||
verbs: ["get", "update"] | ||
namespaces: ["kube-system"] | ||
resources: | ||
- group: "" # core | ||
resources: ["configmaps", "endpoints"] | ||
# Don't log HPA fetching metrics. | ||
- level: None | ||
users: | ||
- system:kube-controller-manager | ||
verbs: ["get", "list"] | ||
resources: | ||
- group: "metrics.k8s.io" | ||
# Don't log these read-only URLs. | ||
- level: None | ||
nonResourceURLs: | ||
- /healthz* | ||
- /version | ||
- /swagger* | ||
# Don't log events requests. | ||
- level: None | ||
resources: | ||
- group: "" # core | ||
resources: ["events"] | ||
# node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes | ||
- level: Request | ||
users: ["kubelet", "system:node-problem-detector", "system:serviceaccount:kube-system:node-problem-detector"] | ||
verbs: ["update","patch"] | ||
resources: | ||
- group: "" # core | ||
resources: ["nodes/status", "pods/status"] | ||
omitStages: | ||
- "RequestReceived" | ||
- level: Request | ||
userGroups: ["system:nodes"] | ||
verbs: ["update","patch"] | ||
resources: | ||
- group: "" # core | ||
resources: ["nodes/status", "pods/status"] | ||
omitStages: | ||
- "RequestReceived" | ||
# deletecollection calls can be large, don't log responses for expected namespace deletions | ||
- level: Request | ||
users: ["system:serviceaccount:kube-system:namespace-controller"] | ||
verbs: ["deletecollection"] | ||
omitStages: | ||
- "RequestReceived" | ||
# Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data, | ||
# so only log at the Metadata level. | ||
- level: Metadata | ||
resources: | ||
- group: "" # core | ||
resources: ["secrets", "configmaps"] | ||
- group: authentication.k8s.io | ||
resources: ["tokenreviews"] | ||
omitStages: | ||
- "RequestReceived" | ||
# Get repsonses can be large; skip them. | ||
- level: Request | ||
verbs: ["get", "list", "watch"] | ||
resources: | ||
- group: "" # core | ||
- group: "admissionregistration.k8s.io" | ||
- group: "apiextensions.k8s.io" | ||
- group: "apiregistration.k8s.io" | ||
- group: "apps" | ||
- group: "authentication.k8s.io" | ||
- group: "authorization.k8s.io" | ||
- group: "autoscaling" | ||
- group: "batch" | ||
- group: "certificates.k8s.io" | ||
- group: "extensions" | ||
- group: "metrics.k8s.io" | ||
- group: "networking.k8s.io" | ||
- group: "policy" | ||
- group: "rbac.authorization.k8s.io" | ||
- group: "scheduling.k8s.io" | ||
- group: "settings.k8s.io" | ||
- group: "storage.k8s.io" | ||
omitStages: | ||
- "RequestReceived" | ||
# Default level for known APIs | ||
- level: RequestResponse | ||
resources: | ||
- group: "" # core | ||
- group: "admissionregistration.k8s.io" | ||
- group: "apiextensions.k8s.io" | ||
- group: "apiregistration.k8s.io" | ||
- group: "apps" | ||
- group: "authentication.k8s.io" | ||
- group: "authorization.k8s.io" | ||
- group: "autoscaling" | ||
- group: "batch" | ||
- group: "certificates.k8s.io" | ||
- group: "extensions" | ||
- group: "metrics.k8s.io" | ||
- group: "networking.k8s.io" | ||
- group: "policy" | ||
- group: "rbac.authorization.k8s.io" | ||
- group: "scheduling.k8s.io" | ||
- group: "settings.k8s.io" | ||
- group: "storage.k8s.io" | ||
omitStages: | ||
- "RequestReceived" | ||
# Default level for all other requests. | ||
- level: Metadata | ||
omitStages: | ||
- "RequestReceived" | ||
{% endif %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,2 @@ | ||
--- | ||
kubernetes_common_audit_policy_rules: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
162 changes: 162 additions & 0 deletions
162
ansible/roles/kubernetes-master/templates/etc/kubernetes/apiserver-audit-policy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,162 @@ | ||
apiVersion: audit.k8s.io/v1beta1 | ||
kind: Policy | ||
rules: | ||
{% if kubernetes_common_audit_policy_rules|length > 0 %} | ||
{{ kubernetes_common_audit_policy_rules | indent(2, true) }} | ||
{% else %} | ||
# Default rules obtained from https://github.com/kubernetes/kubernetes/blob/v1.13.5/cluster/gce/gci/configure-helper.sh#L752 | ||
# The following requests were manually identified as high-volume and low-risk, | ||
# so drop them. | ||
- level: None | ||
users: ["system:kube-proxy"] | ||
verbs: ["watch"] | ||
resources: | ||
- group: "" # core | ||
resources: ["endpoints", "services", "services/status"] | ||
- level: None | ||
# Ingress controller reads 'configmaps/ingress-uid' through the unsecured port. | ||
# TODO(#46983): Change this to the ingress controller service account. | ||
users: ["system:unsecured"] | ||
namespaces: ["kube-system"] | ||
verbs: ["get"] | ||
resources: | ||
- group: "" # core | ||
resources: ["configmaps"] | ||
- level: None | ||
users: ["kubelet"] # legacy kubelet identity | ||
verbs: ["get"] | ||
resources: | ||
- group: "" # core | ||
resources: ["nodes", "nodes/status"] | ||
- level: None | ||
userGroups: ["system:nodes"] | ||
verbs: ["get"] | ||
resources: | ||
- group: "" # core | ||
resources: ["nodes", "nodes/status"] | ||
- level: None | ||
users: | ||
- system:kube-controller-manager | ||
- system:kube-scheduler | ||
- system:serviceaccount:kube-system:endpoint-controller | ||
verbs: ["get", "update"] | ||
namespaces: ["kube-system"] | ||
resources: | ||
- group: "" # core | ||
resources: ["endpoints"] | ||
- level: None | ||
users: ["system:apiserver"] | ||
verbs: ["get"] | ||
resources: | ||
- group: "" # core | ||
resources: ["namespaces", "namespaces/status", "namespaces/finalize"] | ||
- level: None | ||
users: ["cluster-autoscaler"] | ||
verbs: ["get", "update"] | ||
namespaces: ["kube-system"] | ||
resources: | ||
- group: "" # core | ||
resources: ["configmaps", "endpoints"] | ||
# Don't log HPA fetching metrics. | ||
- level: None | ||
users: | ||
- system:kube-controller-manager | ||
verbs: ["get", "list"] | ||
resources: | ||
- group: "metrics.k8s.io" | ||
# Don't log these read-only URLs. | ||
- level: None | ||
nonResourceURLs: | ||
- /healthz* | ||
- /version | ||
- /swagger* | ||
# Don't log events requests. | ||
- level: None | ||
resources: | ||
- group: "" # core | ||
resources: ["events"] | ||
# node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes | ||
- level: Request | ||
users: ["kubelet", "system:node-problem-detector", "system:serviceaccount:kube-system:node-problem-detector"] | ||
verbs: ["update","patch"] | ||
resources: | ||
- group: "" # core | ||
resources: ["nodes/status", "pods/status"] | ||
omitStages: | ||
- "RequestReceived" | ||
- level: Request | ||
userGroups: ["system:nodes"] | ||
verbs: ["update","patch"] | ||
resources: | ||
- group: "" # core | ||
resources: ["nodes/status", "pods/status"] | ||
omitStages: | ||
- "RequestReceived" | ||
# deletecollection calls can be large, don't log responses for expected namespace deletions | ||
- level: Request | ||
users: ["system:serviceaccount:kube-system:namespace-controller"] | ||
verbs: ["deletecollection"] | ||
omitStages: | ||
- "RequestReceived" | ||
# Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data, | ||
# so only log at the Metadata level. | ||
- level: Metadata | ||
resources: | ||
- group: "" # core | ||
resources: ["secrets", "configmaps"] | ||
- group: authentication.k8s.io | ||
resources: ["tokenreviews"] | ||
omitStages: | ||
- "RequestReceived" | ||
# Get repsonses can be large; skip them. | ||
- level: Request | ||
verbs: ["get", "list", "watch"] | ||
resources: | ||
- group: "" # core | ||
- group: "admissionregistration.k8s.io" | ||
- group: "apiextensions.k8s.io" | ||
- group: "apiregistration.k8s.io" | ||
- group: "apps" | ||
- group: "authentication.k8s.io" | ||
- group: "authorization.k8s.io" | ||
- group: "autoscaling" | ||
- group: "batch" | ||
- group: "certificates.k8s.io" | ||
- group: "extensions" | ||
- group: "metrics.k8s.io" | ||
- group: "networking.k8s.io" | ||
- group: "policy" | ||
- group: "rbac.authorization.k8s.io" | ||
- group: "scheduling.k8s.io" | ||
- group: "settings.k8s.io" | ||
- group: "storage.k8s.io" | ||
omitStages: | ||
- "RequestReceived" | ||
# Default level for known APIs | ||
- level: RequestResponse | ||
resources: | ||
- group: "" # core | ||
- group: "admissionregistration.k8s.io" | ||
- group: "apiextensions.k8s.io" | ||
- group: "apiregistration.k8s.io" | ||
- group: "apps" | ||
- group: "authentication.k8s.io" | ||
- group: "authorization.k8s.io" | ||
- group: "autoscaling" | ||
- group: "batch" | ||
- group: "certificates.k8s.io" | ||
- group: "extensions" | ||
- group: "metrics.k8s.io" | ||
- group: "networking.k8s.io" | ||
- group: "policy" | ||
- group: "rbac.authorization.k8s.io" | ||
- group: "scheduling.k8s.io" | ||
- group: "settings.k8s.io" | ||
- group: "storage.k8s.io" | ||
omitStages: | ||
- "RequestReceived" | ||
# Default level for all other requests. | ||
- level: Metadata | ||
omitStages: | ||
- "RequestReceived" | ||
{% endif %} |