Security Audit Logging of K8S API

Story: 2009835 Task: 45636 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I9b3994baa1dd9aecd8b75f2c1cc8751c66d3db50
2022-06-16 11:02:55 -03:00 · 2022-06-16 11:02:55 -03:00 · ac3a23e9f2
commit ac3a23e9f2
parent ca28c7b1fe
3 changed files with 135 additions and 4 deletions
--- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
+++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
@ -195,6 +195,7 @@ Operator Command Logging
   :maxdepth: 1
   operator-command-logging
   kubernetes-operator-command-logging-663fce5d74e7
 ****************
 UEFI Secure Boot
@ -283,4 +284,3 @@ Appendix: Locally creating certificates
   create-certificates-locally-using-openssl
   create-certificates-locally-using-cert-manager-on-the-controller
--- a/doc/source/security/kubernetes/kubernetes-operator-command-logging-663fce5d74e7.rst
+++ b/doc/source/security/kubernetes/kubernetes-operator-command-logging-663fce5d74e7.rst
@ -0,0 +1,131 @@
 .. _kubernetes-operator-command-logging-663fce5d74e7:
 ===================================
 Kubernetes Operator Command Logging
 ===================================
 The Kubernetes auditing provides a set of records that document the sequence of
 actions in a cluster. For more details, see
 `https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
 <https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/>`__.
 You can configure which events should be logged through a set of rules written
 in a YAML file, see
 `https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#audit-policy
 <https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#audit-policy>`__.
 A default policy file is provided in |prod| at
 ``/etc/kubernetes/default-audit-policy.yaml``. This default policy file is a
 version of the audit profile for Google Container-Optimized OS.
 Kubernetes API Logging can be enabled and configured in |prod|, and can be
 fully configured and enabled at bootstrap time. Post-bootstrap, Kubernetes API
 Logging can only be enabled or disabled.
 The default policy file provided, present at
 ``/etc/kubernetes/default-audit-policy.yaml``, is a version of the audit
 profile for Google Container-Optimized OS extracted from
 `https://github.com/kubernetes/kubernetes/blob/75e49ec824b183288e1dbaccfd7dbe77d89db381/cluster/gce/gci/configure-helper.sh#L1129
 <https://github.com/kubernetes/kubernetes/blob/75e49ec824b183288e1dbaccfd7dbe77d89db381/cluster/gce/gci/configure-helper.sh#L1129>`__.
 Different log levels are used for different Kubernetes components.
 The reference for the ``kube-apiserver`` parameters associated with Kubernetes
 API Logging can be found at
 `https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
 <https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/>`__.
 ``audit-policy-file``
    This parameter contains the full path of the audit policy configuration
    file to be used (e.g. ``/etc/kubernetes/default-audit-policy.yaml``).
    When this parameter is present, the feature is enabled. In |prod|
    |prod-ver|, by default, this parameter is absent and the feature is
    disabled.
 ``audit-log-path``
    This parameter points to the log file where the logs will be written. In
    |prod| |prod-ver|, by default, this parameter is present with the value
    ``/var/log/kubernetes/audit/audit.log``. It is recommended to use the
    default value.
 ``audit-log-maxsize``
    This parameter indicates the maximum size in megabytes of the audit log
    file before it gets rotated. In |prod| |prod-ver|, by default, this
    parameter is present with the value "100", that means 100MB.
 ``audit-log-maxage``
    This parameter indicates the maximum number of days to retain old audit log
    files. In |prod| |prod-ver|, by default, this parameter is present with the
    value "3", that means 3 days.
 ``audit-log-maxbackup``
    This parameter indicates the maximum number of old audit log files to
    retain. In |prod| |prod-ver|, by default, this parameter is present with
    the value "10", that means that 10 old files are kept.
 -------------------------------------------
 Bootstrap configuration of audit parameters
 -------------------------------------------
 At bootstrap, all five parameters are configurable. When the value of these
 parameters are not overridden, the deployed environment will have the feature
 disabled, as the parameter ``audit-policy-file`` will be absent, and the other
 parameters will be present with the default values.
 You can see below a YAML example that configures, at bootstrap in
 ``/home/sysadmin/localhost.yml``, all parameters and defines the contents of a
 custom policy file to be used with the ``apiserver_extra_volumes: {name:
 my-audit-policy-file ...}`` parameter. By configuring the parameter
 ``audit-policy-file`` the feature will be enabled.
 .. code-block:: none
    apiserver_extra_args:
      audit-log-maxage: '2'
      audit-log-maxbackup: '3'
      audit-log-maxsize: '40'
      audit-log-path: '/var/log/kubernetes/audit/audit.log'
      audit-policy-file: '/etc/kubernetes/my-audit-policy-file.yml'
    apiserver_extra_volumes:
      - name: my-audit-policy-file
        mountPath: '/etc/kubernetes/my-audit-policy-file.yml'
        pathType: File
        readOnly: true
        content: |
          # Log all requests at the Metadata level.
          apiVersion: audit.k8s.io/v1
          kind: Policy
          rules:
          - level: Metadata
 -----------------------------------------
 Runtime Configuration of audit parameters
 -----------------------------------------
 After deploy, only the parameter ``audit-policy-file`` is configurable as a
 system service parameter, allowing the user to enable/disable the feature.
 You can find below an example of how to add this parameter. The feature is
 disabled when the parameter is removed  (i.e. ``system service-parameter-delete``).
 .. code-block:: none
    ~(keystone_admin)$ system service-parameter-add kubernetes kube_apiserver audit-policy-file=/etc/kubernetes/default-audit-policy.yaml
    ~(keystone_admin)$ system service-parameter-apply kubernetes
 -----------
 Limitations
 -----------
 In |prod| |prod-ver|, a custom policy file can only be created at bootstrap
 time in ``apiserver_extra_volumes`` section. If a custom policy file was
 configured at bootstrap, then after bootstrap the user has the option to
 configure the parameter ``audit-policy-file`` to either this custom policy file
 (``/etc/kubernetes/my-audit-policy-file.yml`` in the example above) or the
 default policy file ``/etc/kubernetes/default-audit-policy.yaml``. If no custom
 policy file was configured at bootstrap, then the user can only configure the
 parameter ``audit-policy-file`` to the default policy file.
 Only the parameter ``audit-policy-file`` is configurable after bootstrap, so
 the others (``audit-log-path``, ``audit-log-maxsize``, ``audit-log-maxage`` and
 ``audit-log-maxbackup``) cannot be changed at runtime.
--- a/doc/source/security/kubernetes/operator-command-logging.rst
+++ b/doc/source/security/kubernetes/operator-command-logging.rst
@ -2,9 +2,9 @@
 .. blo1552681488499
 .. _operator-command-logging:
-========================
+==================================
-Operator Command Logging
+StarlingX Operator Command Logging
-========================
+==================================
 |prod| logs all StarlingX REST API operator commands, except commands that use
 only GET requests. |prod| also logs all |SNMP| commands, including ``GET``