Open pkprzekwas opened 1 year ago
I wonder if this kind of semi-global audit configuration should be a dedicated resource instead that enforces its setting based on datacenter / seed / project (label) matching. It doesn't seem like a good idea to bloat the Datacenter
struct too much.
I wonder if this kind of semi-global audit configuration should be a dedicated resource instead that enforces its setting based on datacenter / seed / project (label) matching. It doesn't seem like a good idea to bloat the
Datacenter
struct too much.
As the customer who raised this - enabling this on the datacenter-level really makes little to no sense to me. I would have preferred/expected a global setting (i.e. KubermaticConfiguration) or maybe one on the Seed - directly in the resource or referenced. Honestly, if audit logging is needed, it's usually needed for absolutely everything in the environment.
Thanks for the feedback, we will consider that while designing the solution!
Output from internal discussion of SIG cluster management:
User story
As a DC administrator, while enforcing audit logging on user clusters, I would like to configure enforced policy instead of defaulting it to
Metadata
.Solution details
We could support the same presets as those provided while defining user cluster object - https://github.com/kubermatic/kubermatic/blob/main/pkg/apis/kubermatic/v1/audit_logging.go#L29-L33
Alternative approaches
Support setting the policy to
Request
orRequestResponse
instead ofMetadata
(see https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#audit-policy)Support inline policies or ConfigMap references.
Additional information
https://docs.kubermatic.com/kubermatic/v2.21/tutorials-howtos/audit-logging/
5107