Merge pull request #30435 from bergerhoffer/adding-oauth-api-server-example

Adding examples for viewing OAuth API server audit logs

Author: bergerhoffer

modules/nodes-nodes-audit-log-basic-viewing.adoc

@@ -3,17 +3,17 @@
 // * security/audit-log-view.adoc
 
 [id="nodes-nodes-audit-log-basic-viewing_{context}"]
-= Viewing the audit log
+= Viewing the audit logs
 
-You can view logs for the {product-title} API server or the Kubernetes API server for each master node.
+You can view the logs for the OpenShift API server, Kubernetes API server, and OpenShift OAuth API server for each master node.
 
 .Procedure
 
-To view the audit log:
+To view the audit logs:
 
-. View the {product-title} API server logs
+* View the OpenShift API server logs:
 
-.. If necessary, get the node name of the log you want to view:
+.. List the OpenShift API server logs that are available for each master node:
 +
 [source,terminal]
 ----
@@ -23,90 +23,110 @@ $ oc adm node-logs --role=master --path=openshift-apiserver/
 .Example output
 [source,terminal]
 ----
-ip-10-0-140-97.ec2.internal audit-2019-04-09T00-12-19.834.log
-ip-10-0-140-97.ec2.internal audit-2019-04-09T11-13-00.469.log
-ip-10-0-140-97.ec2.internal audit.log
-ip-10-0-153-35.ec2.internal audit-2019-04-09T00-11-49.835.log
-ip-10-0-153-35.ec2.internal audit-2019-04-09T11-08-30.469.log
-ip-10-0-153-35.ec2.internal audit.log
-ip-10-0-170-165.ec2.internal audit-2019-04-09T00-13-00.128.log
-ip-10-0-170-165.ec2.internal audit-2019-04-09T11-10-04.082.log
-ip-10-0-170-165.ec2.internal audit.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-0 audit-2021-03-09T00-12-19.834.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-0 audit.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-1 audit-2021-03-09T00-11-49.835.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-1 audit.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit-2021-03-09T00-13-00.128.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit.log
 ----
 
-.. View the {product-title} API server log for a specific master node and timestamp or view all the logs for that master:
+.. View a specific OpenShift API server log by providing the node name and the log name:
 +
 [source,terminal]
 ----
-$ oc adm node-logs <node-name> --path=openshift-apiserver/<log-name>
+$ oc adm node-logs <node_name> --path=openshift-apiserver/<log_name>
 ----
 +
 For example:
 +
 [source,terminal]
 ----
-$ oc adm node-logs ip-10-0-140-97.ec2.internal --path=openshift-apiserver/audit-2019-04-08T13-09-01.227.log
+$ oc adm node-logs ci-ln-m0wpfjb-f76d1-vnb5x-master-0 --path=openshift-apiserver/audit-2021-03-09T00-12-19.834.log
 ----
 +
+.Example output
 [source,terminal]
 ----
-$ oc adm node-logs ip-10-0-140-97.ec2.internal --path=openshift-apiserver/audit.log
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"381acf6d-5f30-4c7d-8175-c9c317ae5893","stage":"ResponseComplete","requestURI":"/metrics","verb":"get","user":{"username":"system:serviceaccount:openshift-monitoring:prometheus-k8s","uid":"825b60a0-3976-4861-a342-3b2b561e8f82","groups":["system:serviceaccounts","system:serviceaccounts:openshift-monitoring","system:authenticated"]},"sourceIPs":["10.129.2.6"],"userAgent":"Prometheus/2.23.0","responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-03-08T18:02:04.086545Z","stageTimestamp":"2021-03-08T18:02:04.107102Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"prometheus-k8s\" of ClusterRole \"prometheus-k8s\" to ServiceAccount \"prometheus-k8s/openshift-monitoring\""}}
 ----
+
+* View the Kubernetes API server logs:
+
+.. List the Kubernetes API server logs that are available for each master node:
 +
-The output appears similar to the following:
+[source,terminal]
+----
+$ oc adm node-logs --role=master --path=kube-apiserver/
+----
 +
 .Example output
 [source,terminal]
 ----
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"ad209ce1-fec7-4130-8192-c4cc63f1d8cd","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/openshift-kube-controller-manager/configmaps/cert-recovery-controller-lock?timeout=35s","verb":"update","user":{"username":"system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client","uid":"dd4997e3-d565-4e37-80f8-7fc122ccd785","groups":["system:serviceaccounts","system:serviceaccounts:openshift-kube-controller-manager","system:authenticated"]},"sourceIPs":["::1"],"userAgent":"cluster-kube-controller-manager-operator/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"configmaps","namespace":"openshift-kube-controller-manager","name":"cert-recovery-controller-lock","uid":"5c57190b-6993-425d-8101-8337e48c7548","apiVersion":"v1","resourceVersion":"574307"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-04-02T08:27:20.200962Z","stageTimestamp":"2020-04-02T08:27:20.206710Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:operator:kube-controller-manager-recovery\" of ClusterRole \"cluster-admin\" to ServiceAccount \"localhost-recovery-client/openshift-kube-controller-manager\""}}
+ci-ln-m0wpfjb-f76d1-vnb5x-master-0 audit-2021-03-09T14-07-27.129.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-0 audit.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-1 audit-2021-03-09T19-24-22.620.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-1 audit.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit-2021-03-09T18-37-07.511.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit.log
 ----
 
-. View the Kubernetes API server logs:
-
-.. If necessary, get the node name of the log you want to view:
+.. View a specific Kubernetes API server log by providing the node name and the log name:
 +
 [source,terminal]
 ----
-$ oc adm node-logs --role=master --path=kube-apiserver/
+$ oc adm node-logs <node_name> --path=kube-apiserver/<log_name>
+----
++
+For example:
++
+[source,terminal]
+----
+$ oc adm node-logs ci-ln-m0wpfjb-f76d1-vnb5x-master-0 --path=kube-apiserver/audit-2021-03-09T14-07-27.129.log
 ----
 +
 .Example output
 [source,terminal]
 ----
-ip-10-0-140-97.ec2.internal audit-2019-04-09T14-07-27.129.log
-ip-10-0-140-97.ec2.internal audit-2019-04-09T19-18-32.542.log
-ip-10-0-140-97.ec2.internal audit.log
-ip-10-0-153-35.ec2.internal audit-2019-04-09T19-24-22.620.log
-ip-10-0-153-35.ec2.internal audit-2019-04-09T19-51-30.905.log
-ip-10-0-153-35.ec2.internal audit.log
-ip-10-0-170-165.ec2.internal audit-2019-04-09T18-37-07.511.log
-ip-10-0-170-165.ec2.internal audit-2019-04-09T19-21-14.371.log
-ip-10-0-170-165.ec2.internal audit.log
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"cfce8a0b-b5f5-4365-8c9f-79c1227d10f9","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/openshift-kube-scheduler/serviceaccounts/openshift-kube-scheduler-sa","verb":"get","user":{"username":"system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator","uid":"2574b041-f3c8-44e6-a057-baef7aa81516","groups":["system:serviceaccounts","system:serviceaccounts:openshift-kube-scheduler-operator","system:authenticated"]},"sourceIPs":["10.128.0.8"],"userAgent":"cluster-kube-scheduler-operator/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"serviceaccounts","namespace":"openshift-kube-scheduler","name":"openshift-kube-scheduler-sa","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-03-08T18:06:42.512619Z","stageTimestamp":"2021-03-08T18:06:42.516145Z","annotations":{"authentication.k8s.io/legacy-token":"system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:operator:cluster-kube-scheduler-operator\" of ClusterRole \"cluster-admin\" to ServiceAccount \"openshift-kube-scheduler-operator/openshift-kube-scheduler-operator\""}}
 ----
 
-.. View the Kubernetes API server log for a specific master node and timestamp or view all the logs for that master:
+* View the OpenShift OAuth API server logs:
+
+.. List the OpenShift OAuth API server logs that are available for each master node:
 +
 [source,terminal]
 ----
-$ oc adm node-logs <node-name> --path=kube-apiserver/<log-name>
+$ oc adm node-logs --role=master --path=oauth-apiserver/
 ----
 +
-For example:
-+
+.Example output
 [source,terminal]
 ----
-$ oc adm node-logs ip-10-0-140-97.ec2.internal --path=kube-apiserver/audit-2019-04-09T14-07-27.129.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-0 audit-2021-03-09T13-06-26.128.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-0 audit.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-1 audit-2021-03-09T18-23-21.619.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-1 audit.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit-2021-03-09T17-36-06.510.log
+ci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit.log
 ----
+
+.. View a specific OpenShift OAuth API server log by providing the node name and the log name:
 +
 [source,terminal]
 ----
-$ oc adm node-logs ip-10-0-170-165.ec2.internal --path=kube-apiserver/audit.log
+$ oc adm node-logs <node_name> --path=oauth-apiserver/<log_name>
 ----
 +
-The output appears similar to the following:
+For example:
++
+[source,terminal]
+----
+$ oc adm node-logs ci-ln-m0wpfjb-f76d1-vnb5x-master-0 --path=oauth-apiserver/audit-2021-03-09T13-06-26.128.log
+----
 +
 .Example output
 [source,terminal]
 ----
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"ad209ce1-fec7-4130-8192-c4cc63f1d8cd","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/openshift-kube-controller-manager/configmaps/cert-recovery-controller-lock?timeout=35s","verb":"update","user":{"username":"system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client","uid":"dd4997e3-d565-4e37-80f8-7fc122ccd785","groups":["system:serviceaccounts","system:serviceaccounts:openshift-kube-controller-manager","system:authenticated"]},"sourceIPs":["::1"],"userAgent":"cluster-kube-controller-manager-operator/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"configmaps","namespace":"openshift-kube-controller-manager","name":"cert-recovery-controller-lock","uid":"5c57190b-6993-425d-8101-8337e48c7548","apiVersion":"v1","resourceVersion":"574307"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-04-02T08:27:20.200962Z","stageTimestamp":"2020-04-02T08:27:20.206710Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:operator:kube-controller-manager-recovery\" of ClusterRole \"cluster-admin\" to ServiceAccount \"localhost-recovery-client/openshift-kube-controller-manager\""}}
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"dd4c44e2-3ea1-4830-9ab7-c91a5f1388d6","stage":"ResponseComplete","requestURI":"/apis/user.openshift.io/v1/users/~","verb":"get","user":{"username":"system:serviceaccount:openshift-monitoring:prometheus-k8s","groups":["system:serviceaccounts","system:serviceaccounts:openshift-monitoring","system:authenticated"]},"sourceIPs":["10.0.32.4","10.128.0.1"],"userAgent":"dockerregistry/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"users","name":"~","apiGroup":"user.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-03-08T17:47:43.653187Z","stageTimestamp":"2021-03-08T17:47:43.660187Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"basic-users\" of ClusterRole \"basic-user\" to Group \"system:authenticated\""}}
 ----

modules/security-audit-log-filtering.adoc

@@ -48,11 +48,11 @@ $ oc adm node-logs node-1.example.com  \
   | jq 'select(.requestURI | startswith("/apis/apiextensions.k8s.io/v1beta1")) | .userAgent'
 ----
 
-* Filter Kubernetes API server audit logs by excluding a verb:
+* Filter OpenShift OAuth API server audit logs by excluding a verb:
 +
 [source,terminal]
 ----
 $ oc adm node-logs node-1.example.com  \
-  --path=kube-apiserver/audit.log \
+  --path=oauth-apiserver/audit.log \
   | jq 'select(.verb != "get")'
 ----