DEPRECATED for the moment
The advanced audit feature provides several improvements over the basic audit functionality, including fine-grained events filtering and multiple output back ends.
To enable the advanced audit feature, provide the following values in the
openshift_master_audit_config parameter:
openshift_master_audit_config={"enabled": true, "auditFilePath": "/var/lib/origin/oscp-audit.log", "maximumFileRetentionDays": 14, "maximumFileSizeMegabytes": 500, "maximumRetainedFiles": 5, "policyFile": "/etc/origin/master/adv-audit.yaml", "logFormat":"json"}
|
Important
|
The policy file /etc/origin/master/adv-audit.yaml must be available on each master node. |
The following table contains additional options you can use.
| Parameter Name | Description |
|---|---|
|
Path to the file that defines the audit policy configuration. |
|
An embedded audit policy configuration. |
|
Specifies the format of the saved audit logs. Allowed values are |
|
Path to a |
|
Specifies the strategy for sending audit events. Allowed values are |
|
Important
|
To enable the advanced audit feature, you must provide either |
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
# Do not log watch requests by the "system:kube-proxy" on endpoints or services
- level: None (1)
users: ["system:kube-proxy"] (2)
verbs: ["watch"] (3)
resources: (4)
- group: ""
resources: ["endpoints", "services"]
# Do not log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"] (5)
nonResourceURLs: (6)
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"] (7)
# Log configmap and secret changes in all other namespaces at the metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata (1)
# Log login failures from the web console or CLI. Review the logs and refine your policies.
- level: Metadata
nonResourceURLs:
- /login* (8)
- /oauth* (9)-
There are four possible levels every event can be logged at:
-
None- Do not log events that match this rule. -
Metadata- Log request metadata (requesting user, time stamp, resource, verb, etc.), but not request or response body. This is the same level as the one used in basic audit. -
Request- Log event metadata and request body, but not response body. -
RequestResponse- Log event metadata, request, and response bodies.
-
-
A list of users the rule applies to. An empty list implies every user.
-
A list of verbs this rule applies to. An empty list implies every verb. This is Kubernetes verb associated with API requests (including
get,list,watch,create,update,patch,delete,deletecollection, andproxy). -
A list of resources the rule applies to. An empty list implies every resource. Each resource is specified as a group it is assigned to (for example, an empty for Kubernetes core API, batch, build.openshift.io, etc.), and a resource list from that group.
-
A list of groups the rule applies to. An empty list implies every group.
-
A list of non-resources URLs the rule applies to.
-
A list of namespaces the rule applies to. An empty list implies every namespace.
-
Endpoint used by the web console.
-
Endpoint used by the CLI.
For more information on advanced audit, see the Kubernetes documentation