kubernetes: Advanced Auditing 1.9 umbrella bug
This is a continuation of the work on the Advanced Auditing feature, that was tracked for 1.8 release in https://github.com/kubernetes/kubernetes/issues/48561
As discussed earlier, in 1.9 release API stays in Beta for stabilization. Here’s the list of tasks for this K8s release:
API-related changes
- Add a policy-wide
OmitStagesfield (more context in https://github.com/kubernetes/kubernetes/pull/49280#issuecomment-319711384)- @CaoShuFeng is working on this in https://github.com/kubernetes/kubernetes/pull/54634
- Fix the timestamps in the API (https://github.com/kubernetes/kubernetes/issues/52160)
- @CaoShuFeng is working on this in https://github.com/kubernetes/kubernetes/pull/52981
Pipeline bugfixes
- Make webhook parameters configurable
- ~Introduce buffering for the log backend to fix file writing bottleneck (https://github.com/kubernetes/kubernetes/issues/53006)~
- Deferred until the next release
- ~Restore audit logging in the scalability tests (https://github.com/kubernetes/kubernetes/issues/53020)~
- Deferred until the next release
- Shutdown http handlers before shutting down audit backend (https://github.com/kubernetes/kubernetes/issues/50781)
- @hzxuzhonghu is working on this in https://github.com/kubernetes/kubernetes/pull/54849
- Policy without kind/apiVersion is still valid (https://github.com/kubernetes/kubernetes/issues/54254)
- @ericchiang is working on this in https://github.com/kubernetes/kubernetes/pull/54267
- Rate-limit batching webhook backend (https://github.com/kubernetes/kubernetes/issues/52907)
- @crassirostris is working on this in https://github.com/kubernetes/kubernetes/pull/53417, with the help of @hzxuzhonghu
- Network errors are not retried (https://github.com/kubernetes/kubernetes/issues/52909)
- @crassirostris is working on this in https://github.com/kubernetes/kubernetes/pull/53947
Policy changes
- ~GCE audit policy should be made re-usable by other setups (https://github.com/kubernetes/kubernetes/issues/53321)~
- Deferred until the next release
- ~Audit policy should be tested (e.g. that it includes all core resources, more context in https://github.com/kubernetes/kubernetes/issues/52265#issuecomment-329243972)~
- Deferred until the next release
Misc
- kubectl sends empty patch requests, which results in addon manager spamming audit logs (https://github.com/kubernetes/kubernetes/issues/54010)
- @hzxuzhonghu is working on this in https://github.com/kubernetes/kubernetes/pull/54046
To discuss
- ~Auditing federation setups (https://github.com/kubernetes/kubernetes/issues/50076)~
- Deferred until the next release
- ~Auditing multi-apiserver setups~
- Deferred until the next release
/cc @sttts @soltysh @tallclair @ericchiang @CaoShuFeng @hzxuzhonghu
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 23 (7 by maintainers)
Commits related to this issue
- Merge pull request #54634 from CaoShuFeng/omit_stage Automatic merge from submit-queue (batch tested with PRs 52322, 54634). If you want to cherry-pick this change to another branch, please follow th... — committed to kubernetes/kubernetes by deleted user 7 years ago
- Merge pull request #54634 from CaoShuFeng/omit_stage Automatic merge from submit-queue (batch tested with PRs 52322, 54634). If you want to cherry-pick this change to another branch, please follow th... — committed to sttts/apiserver by k8s-publish-robot 7 years ago
- Merge pull request #54634 from CaoShuFeng/omit_stage Automatic merge from submit-queue (batch tested with PRs 52322, 54634). If you want to cherry-pick this change to another branch, please follow th... — committed to sttts/apiserver by k8s-publish-robot 7 years ago
- Merge pull request #54634 from CaoShuFeng/omit_stage Automatic merge from submit-queue (batch tested with PRs 52322, 54634). If you want to cherry-pick this change to another branch, please follow th... — committed to sttts/apiserver by k8s-publish-robot 7 years ago
- Merge pull request #54634 from CaoShuFeng/omit_stage Automatic merge from submit-queue (batch tested with PRs 52322, 54634). If you want to cherry-pick this change to another branch, please follow th... — committed to sttts/apiserver by k8s-publish-robot 7 years ago
- Merge pull request #54634 from CaoShuFeng/omit_stage Automatic merge from submit-queue (batch tested with PRs 52322, 54634). If you want to cherry-pick this change to another branch, please follow th... — committed to sttts/apiserver by k8s-publish-robot 7 years ago
- Merge pull request #54634 from CaoShuFeng/omit_stage Automatic merge from submit-queue (batch tested with PRs 52322, 54634). If you want to cherry-pick this change to another branch, please follow th... — committed to sttts/apiserver by k8s-publish-robot 7 years ago
- Merge pull request #54634 from CaoShuFeng/omit_stage Automatic merge from submit-queue (batch tested with PRs 52322, 54634). If you want to cherry-pick this change to another branch, please follow th... — committed to k8s-publishing-bot/apiserver by k8s-publish-robot 7 years ago
- Merge pull request #56638 from crassirostris/audit-webhook-make-configurable Automatic merge from submit-queue (batch tested with PRs 56790, 56638). If you want to cherry-pick this change to another ... — committed to kubernetes/kubernetes by deleted user 7 years ago
- Merge pull request #54634 from CaoShuFeng/omit_stage Automatic merge from submit-queue (batch tested with PRs 52322, 54634). If you want to cherry-pick this change to another branch, please follow th... — committed to k8s-publishing-bot/apiserver by k8s-publish-robot 7 years ago
- Merge pull request #56890 from crassirostris/make-audit-configurable Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a hre... — committed to kubernetes/kubernetes by deleted user 7 years ago
@enisoc Sure, done