[v18] identity activity center: Backport EKS audit logs#61651
Merged
camscale merged 12 commits intobranch/v18from Nov 24, 2025
Merged
[v18] identity activity center: Backport EKS audit logs#61651camscale merged 12 commits intobranch/v18from
camscale merged 12 commits intobranch/v18from
Conversation
camscale
added
the
no-changelog
camscale
requested review from
hugoShaka,
rosstimothy,
strideynet,
tigrato and
zmb3
as code owners
camscale
changed the title
|
@camscale - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
tigrato
approved these changes
Nov 21, 2025
camscale
force-pushed
the
camh/v18/eks-audit-logs
branch
from
5e03e52 to
375414c
Compare
juliaogris
approved these changes
Nov 21, 2025
rosstimothy
approved these changes
Nov 21, 2025
r0mant
approved these changes
Nov 21, 2025
… Graph Add a `KubeAuditLogsStream()` rpc to the `AccessGraphService` for streaming Kubernetes apiserver audit logs from the Teleport discovery service to access graph. This is intended for EKS audit logs which are made available via CloudWatch, but can accommodate other k8s services. The audit log messages are represented as a `google.protobuf.Struct` so as to not depend on the k8s.io .proto files, but also as k8s typically uses protos internally only - the expectation is that we'll receive the apiserver audit logs as json-encoded strings. This encode easily as a `google.protobuf.Struct`.
Generate proto and grpc code for changes to accessgraph/v1alpha1:
make grpc/host
These changes add the `KubeAuditLogsStream()` rpc and associated types.
Add the `AccessGraphAWSSyncEKSAuditLogs` message used by new field in `AccessGraphAWSSync` for specifying which EKS clusters should have apiserver audit logs fetched and sent to Access Graph.
Generate proto code for `AccessGraphAWSSyncEKSAuditLogs` message:
make grpc/host
make derive
Extend the static config for Access Graph discovery to be able to specify the EKS cluster for which apiserver audit logs should be fetched and sent to Access Graph.
Add a watcher to start fetchers for all access graph EKS clusters that
are configured to have Kubernetes apiserver audit logs fetched and send
them to access graph. It receives the set of clusters to fetch audit
logs for from the AWS resource syncer as it discovers EKS clusters.
Those clusters are reconciled against the current set of log fetchers,
with no-longer-needed fetchers stopped and new fetchers started as
needed.
This commit requires go.mod be updated with:
go get github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs@latest
It is left out of this commit for now as it makes rebasing/merging
master easier.
Run:
go get github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs@latest
make go-mod-tidy-all
# Manually move the go.mod line back to the first section!?!?
This commit is kept separate for easier merging/rebasing.
Refactor the eksAuditLog{Watcher,Fetcher} and the aws_sync.Fetcher
cloudwatchlogs to be more testable:
* factor away eksAuditLogFetcher from eksAuditLogWatcher. The watcher
just needs a factory function to create a fetcher, and all the watcher
needs from that fetcher is a `Run()` method. Lift the cancel func out
of the watcher and store it directly in the watcher, as only the
watcher uses it.
* factor away aws_sync.Fetcher from eksAuditLogFetcher. All it needs
from the sync fetcher it calls is one method to fetch cloudwatch logs.
Make that an interface and use just that. This allows a fake source of
cloudwatch logs to be provided for testing. While here, use protobuf
getters rather than accessing fields directly.
* Use protobuf getters in aws_sync.Fetcher cloudwatchlogs instead of
accessing fields directly. In future, we could pass in an interface
with those getters to make the code more testable.
Add tests for `eksAuditLogWatcher` and `eksAuditLogFetcher`. Copy the grpc stream testing util from the access graph repo into teleport as it is useful for the bidirectional streaming methods uses by access graph, and makes it easier to test on the client side.
Update the `teleport configure integration acces-graph aws-iam` command to add a permission to access EKS audit logs via CloudWatch Logs if the `--eks-audit-logs` flag is passed. This is necessary so that an integration can pull the EKS audit logs if so configured in a discovery access graph matcher.
Extend the web endpoint for the webscript for integrations configure access-graph-cloud-sync-iam.sh to add the `eksAuditLogs` query param to configure with EKS audit logs enabled. Add tests for this endpoint as there were none.
Run `make go-generate` to update the `lib/utils/aws/region/regions.go` file as something in the backport of EKS audit logs for Identity Activity Center has changed what would be generated.
camscale
force-pushed
the
camh/v18/eks-audit-logs
branch
from
375414c to
df0fd8c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport the PRs for implementing EKS audit logs fetching and sending to access
graph for Identity Activity Center. This set of commits:
CloudWatch Logs
There are other PRs for access graph that implements its side of the feature, as
well as a documentation PR that is not in this backport. It will be backported
separately.
The only conflicts were with the auto-generated commits for the
.protofiles.These were resolved by re-running the generation commands.
Also changed were the
synctesttests as branch/v18 has Go 1.24 which hasa different synctest API.
Issue: https://github.com/gravitational/access-graph/issues/1589
Backport: #59566
Backport: #59567
Backport: #59568
Backport: #61364