search

siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.
https://www.talos.dev
Mozilla Public License 2.0
6.72k stars 537 forks source link

Enable configuration of kube-apiserver audit policy #5106

Closed JAORMX closed 1 year ago

JAORMX commented 2 years ago

Feature Request

Let's have an option to set the Kubernetes API Server audit policy.

Description

Currently, there's a hard-coded audit policy that looks as follows [1]:

apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
- level: Metadata

While this policy is sufficient in a lot of cases, there are instances were administrators will want to modify it to meet regulatory compliance requirements or to tune this setting for resource usage reasons (e.g. to reduce the amount of space these logs take on disk).

By having this functionality settable by an administrator, Talos will be able to better meet compliance needs of users.

This should probably be done through the machineConfig API from Talos.

References

[1] https://github.com/talos-systems/talos/blob/master/internal/app/machined/pkg/controllers/k8s/templates.go#L22-L25

sergelogvinov commented 2 years ago

Proposal: Add the resource AuditConfigs.kubernetes.talos.dev and can be changes through the machineConfig. Resource definition restarts Kube-api if it change.

cluster:
  apiServer:
    auditConfig:
      apiVersion: audit.k8s.io/v1
      kind: Policy
      rules:
      - level: Metadata
smira commented 1 year ago

This is available in upcoming v1.3.0