kube-prometheus icon indicating copy to clipboard operation
kube-prometheus copied to clipboard

Published 20 hours ago verified publisher icon prometheus-operator

addon: prometheus-adapter addon to enable audit logs

Open sthaha opened this issue 2 years ago • 3 comments

Description

This addon configures Prometheus Adapter to turn on audit logs. Enabling audit log requires passing in a Policy file to the adapater. The addon adds a list policies that match K8S Policy log-level such as

  • None
  • Metadata
  • RequestResponse
  • Request

See: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy

The adapter will be configured to log at a Metadata level by default which can be configured by setting values.pa.auditProfile See examples/prometheus-adapter-audit-example.jsonnet

Type of change

What type of changes does your code introduce to the kube-prometheus? Put an x in the box that apply.

  • [ ] CHANGE (fix or feature that would cause existing functionality to not work as expected)
  • [x] FEATURE (non-breaking change which adds functionality)
  • [ ] BUGFIX (non-breaking change which fixes an issue)
  • [ ] ENHANCEMENT (non-breaking change which improves existing functionality)
  • [ ] NONE (if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)

Changelog entry

New addon for Prometheus Adapater to configure audit logs.

sthaha avatar Oct 15 '21 04:10 sthaha

This should be a part of prometheus-adapter.libsonnet and be conditionally enabled. I don't see any reason for this to be an addon.

That's a fair point, having it conditionally enable sounds better suited since it is essentially part of the prometheus-adapter component. At first, I was thinking more about having an addon that would enable audit log on top of the default configuration, but I prefer your approach. Sorry for the inconvenience @sthaha.

Since we are bounding the size of the audit log file to 100Mb, I think enabling the Metadata level by default shouldn't be a problem and it will only be beneficial to the kube-prometheus users. For what it's worth once the audit log file is full, it is rotated to be able to continue to gather new audit logs while only keeping the freshest ones.

dgrisonnet avatar Oct 15 '21 07:10 dgrisonnet

conditionally enabled

@paulfantom could you please shed some light into how you would like it be conditionally enabled? Is there a precedence/ or an example I can copy from?

sthaha avatar Oct 15 '21 08:10 sthaha

You can take the thanos sidecar setup of Prometheus as an example: https://github.com/prometheus-operator/kube-prometheus/blob/main/jsonnet/kube-prometheus/components/prometheus.libsonnet#L330-L344

dgrisonnet avatar Oct 15 '21 11:10 dgrisonnet