Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GCE audit policy has an obsolete list of resources #52265

Closed
crassirostris opened this issue Sep 11, 2017 · 8 comments
Closed

GCE audit policy has an obsolete list of resources #52265

crassirostris opened this issue Sep 11, 2017 · 8 comments
Assignees
@crassirostris
Labels
area/audit area/platform/gce kind/bug Categorizes issue or PR as related to a bug. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Milestone
v1.8

Comments

@crassirostris
Copy link

Currently, GCE audit policy is v1alpha1 and doesn't match the list of resources in 1.8. It has to be updated before the release and e2e should check that it's correct.
@crassirostris crassirostris added area/audit area/platform/gce kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Sep 11, 2017
@crassirostris crassirostris added this to the v1.8 milestone Sep 11, 2017
@crassirostris crassirostris self-assigned this Sep 11, 2017
@k8s-github-robot
Copy link

[MILESTONENOTIFIER] Milestone Labels Complete

@crassirostris

Issue label settings:

  • sig/auth: Issue will be escalated to these SIGs if needed.
  • priority/important-soon: Escalate to the issue owners and SIG owner; move out of milestone after several unsuccessful escalation attempts.
  • kind/bug: Fixes a bug discovered during the current release.
Additional instructions available here The commands available for adding these labels are documented here

@crassirostris crassirostris changed the title GCE audit policy should use v1beta1 API GCE audit policy has an obsolete list of resources Sep 11, 2017
@crassirostris crassirostris added priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. and removed priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Sep 11, 2017
@crassirostris
Copy link
Author

@jdumars @calebamiles Are you OK with fixing this bug in 1.8?

This was referenced Sep 12, 2017
Merged
Merged
Merged
k8s-github-robot pushed a commit that referenced this issue Sep 13, 2017
Merge pull request #52343 from crassirostris/audit-policy-switch-to-beta
e81aeb5 
Automatic merge from submit-queue (batch tested with PRs 52339, 52343, 52125, 52360, 52301)

Switch default audit policy to beta and omit RequestReceived stage

Related to #52265

```release-note
By default, clusters on GCE no longer sends RequestReceived audit event, if advanced audit is configured.
```
k8s-github-robot pushed a commit that referenced this issue Sep 13, 2017
Merge pull request #52342 from crassirostris/audit-policy-gcp-variable
cd343fd 
Automatic merge from submit-queue (batch tested with PRs 51601, 52153, 52364, 52362, 52342)

Make advanced audit policy on GCP configurable

Related to #52265

Make GCP audit policy configurable

/cc @tallclair
@liggitt
Copy link
Member

liggitt commented Sep 13, 2017

@tallclair the current mechanism of generating the GCE audit doesn't seem maintainable if we want to automatically pick up new resources. is there a reason we didn't exclude specific resources instead?

@tallclair
Copy link
Member

The purpose of this list was to exclude third party resources, since we don't know what kind of data they could include (could be sensitive PII, could be large). Perhaps we could build in a way of identifying 3rd party resources.

@liggitt
Copy link
Member

liggitt commented Sep 13, 2017
edited
Loading

Perhaps we could build in a way of identifying 3rd party resources.

We really don't want that distinction leaking into external layers like admission

@tallclair
Copy link
Member

In that case maybe an e2e test to catch when a new group is added, but the list isn't updated.

@liggitt
Copy link
Member

liggitt commented Sep 13, 2017

checking via a test would be preferable

@jdumars
Copy link
Member

jdumars commented Sep 14, 2017

It looks like the last PR associated with this is on deck to merge soon. Is there more to do here, or will that close out this issue?

k8s-github-robot pushed a commit that referenced this issue Sep 14, 2017
Merge pull request #52358 from crassirostris/audit-policy-groups
afdbfa2 
Automatic merge from submit-queue (batch tested with PRs 52376, 52439, 52382, 52358, 52372)

Add new api groups to the GCE advanced audit policy

Fixes #52265

It introduces the missing api groups, that were introduced in 1.8 release.

@piosz there's also the 'metrics' api group, should we audit it?
@crassirostris crassirostris mentioned this issue Oct 25, 2017
Closed
14 tasks
@crassirostris crassirostris mentioned this issue Jan 10, 2018
Closed
11 tasks
@crassirostris crassirostris mentioned this issue Feb 25, 2018
Closed
14 tasks
@x13n x13n mentioned this issue Jun 20, 2018
Closed
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@crassirostris crassirostris

Labels
area/audit area/platform/gce kind/bug Categorizes issue or PR as related to a bug. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
None yet
Milestone
v1.8
Development

No branches or pull requests
5 participants
@liggitt @jdumars @crassirostris @k8s-github-robot @tallclair