Open pkprzekwas opened 1 year ago
embik
commented
1 year ago I wonder if this kind of semi-global audit configuration should be a dedicated resource instead that enforces its setting based on datacenter / seed / project (label) matching. It doesn't seem like a good idea to bloat the Datacenter struct too much.
judge-red
commented
1 year ago I wonder if this kind of semi-global audit configuration should be a dedicated resource instead that enforces its setting based on datacenter / seed / project (label) matching. It doesn't seem like a good idea to bloat the
Datacenterstruct too much.
As the customer who raised this - enabling this on the datacenter-level really makes little to no sense to me. I would have preferred/expected a global setting (i.e. KubermaticConfiguration) or maybe one on the Seed - directly in the resource or referenced. Honestly, if audit logging is needed, it's usually needed for absolutely everything in the environment.
embik
commented
1 year ago Thanks for the feedback, we will consider that while designing the solution!
csengerszabo
commented
1 year ago Output from internal discussion of SIG cluster management:
User story
As a DC administrator, while enforcing audit logging on user clusters, I would like to configure enforced policy instead of defaulting it to
Metadata.Solution details
We could support the same presets as those provided while defining user cluster object - https://github.com/kubermatic/kubermatic/blob/main/pkg/apis/kubermatic/v1/audit_logging.go#L29-L33
Alternative approaches
Support setting the policy to
RequestorRequestResponseinstead ofMetadata(see https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#audit-policy)Support inline policies or ConfigMap references.
Additional information
https://docs.kubermatic.com/kubermatic/v2.21/tutorials-howtos/audit-logging/
5107