Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance audit logging, especially for authorization #1307

Closed
s-urbaniak opened this issue Jun 20, 2022 · 3 comments · Fixed by #1833
Closed

Enhance audit logging, especially for authorization #1307

s-urbaniak opened this issue Jun 20, 2022 · 3 comments · Fixed by #1833
Assignees
@s-urbaniak
Labels
area/authorization kind/feature Categorizes issue or PR as related to a new feature.
Milestone
v0.8

Comments

@s-urbaniak
Copy link
Contributor

s-urbaniak commented Jun 20, 2022
edited
Loading

Currently, we leave little traces about authorizers besides native kube RBAC ones.

Native kube RBAC authorizer creates audit log entries for two cases:

allowed:

  • client: client gets no reason (expected)
  • audit: reason is encoded in the audit annotation:
    "authorization.k8s.io/reason": "RBAC: allowed by RoleBinding \"foo\" of Role \"bar\" to User \"baz\""

denied:

  • client: client gets a simplified reason of denial, example:
    Error from server (Forbidden): pods is forbidden: User "foo" cannot list resource "bar" in API group "" in the namespace "baz"
  • audit: reason is only encoded in the message, not in the audit annotation without further details:
    "message": "pods is forbidden: User \"foo\" cannot list resource \"bar\" in API group \"\" in the namespace \"baz\"", "authorization.k8s.io/reason": ""

For kcp I suggest to create dedicated annotations per authorizer (api-binding, top level, content) and set potential reasoning messages for both denial and allowed requests, examples:

  • apibinding.authorization.kcp.io/decision: "allow/forbid"
  • toplevel.authorization.kcp.io/decision: "allow/forbid"
  • content.authorization.kcp.io/decision: "allow/forbid"
  • apibinding.authorization.kcp.io/reason: "allowed, no maximal local permission policy present"
  • apibinding.authorization.kcp.io/reason: "forbidden by RBAC in API Export cluster \"foo\"" (reason will be encoded via message , see above)
  • content.authorization.kcp.io/reason: "allowed by cluster local service account (extraGroups=[\"system:kcp:clusterworkspace:access\"])"
  • content.authorization.kcp.io/reason: "allowed by \"admin\" verb in workspace \"foo\" (extraGroups=[\"system:kcp:clusterworkspace:access\",\"system:kcp:clusterworkspace:admin\"])"
@sttts sttts added this to kcp Jun 20, 2022
@sttts sttts moved this to New in kcp Jun 20, 2022
@sttts
Copy link
Member

sttts commented Jun 20, 2022

👍

@sttts
Copy link
Member

sttts commented Jun 20, 2022

s/kcp.io/kcp.dev/

@s-urbaniak s-urbaniak added the kind/feature Categorizes issue or PR as related to a new feature. label Jun 20, 2022
@s-urbaniak s-urbaniak self-assigned this Jun 20, 2022
@ncdc ncdc added this to the TBD milestone Jun 21, 2022
@ncdc ncdc mentioned this issue Aug 16, 2022
Merged
@ncdc
Copy link
Member

ncdc commented Aug 16, 2022

#1767 implements annotations for content & toplevel

@s-urbaniak s-urbaniak modified the milestones: TBD, v0.8 Aug 17, 2022
@s-urbaniak s-urbaniak mentioned this issue Aug 25, 2022
Merged
Repository owner moved this from New to Done in kcp Aug 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@s-urbaniak s-urbaniak

Labels
area/authorization kind/feature Categorizes issue or PR as related to a new feature.
Projects
kcp
Status: Done
Milestone
v0.8
Development

Successfully merging a pull request may close this issue.

pkg/authorization: add audit logging s-urbaniak/kcp
3 participants
@ncdc @s-urbaniak @sttts