talos icon indicating copy to clipboard operation
talos copied to clipboard
verified publisher icon siderolabs

Enable configuration of kube-apiserver audit policy

Open JAORMX opened this issue 3 years ago • 1 comments

Feature Request

Let's have an option to set the Kubernetes API Server audit policy.

Description

Currently, there's a hard-coded audit policy that looks as follows [1]:

apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
- level: Metadata

While this policy is sufficient in a lot of cases, there are instances were administrators will want to modify it to meet regulatory compliance requirements or to tune this setting for resource usage reasons (e.g. to reduce the amount of space these logs take on disk).

By having this functionality settable by an administrator, Talos will be able to better meet compliance needs of users.

This should probably be done through the machineConfig API from Talos.

References

[1] https://github.com/talos-systems/talos/blob/master/internal/app/machined/pkg/controllers/k8s/templates.go#L22-L25

JAORMX avatar Mar 11 '22 14:03 JAORMX

Proposal: Add the resource AuditConfigs.kubernetes.talos.dev and can be changes through the machineConfig. Resource definition restarts Kube-api if it change.

cluster:
  apiServer:
    auditConfig:
      apiVersion: audit.k8s.io/v1
      kind: Policy
      rules:
      - level: Metadata

sergelogvinov avatar Aug 29 '22 14:08 sergelogvinov

This is available in upcoming v1.3.0

smira avatar Oct 31 '22 14:10 smira