Merge pull request #36229 from bergerhoffer/OSDOCS-1801

OSDOCS-1801: Adding new audit policy options

Author: bergerhoffer

modules/nodes-nodes-audit-config-about.adoc

@@ -9,7 +9,7 @@ Audit log profiles define how to log requests that come to the OpenShift API ser
 
 {product-title} provides the following predefined audit policy profiles:
 
-[cols="1,2",options="header"]
+[cols="1,2a",options="header"]
 |===
 |Profile
 |Description
@@ -22,6 +22,15 @@ Audit log profiles define how to log requests that come to the OpenShift API ser
 
 |`AllRequestBodies`
 |In addition to logging metadata for all requests, logs request bodies for  every read and write request to the API servers (`get`, `list`, `create`, `update`, `patch`). This profile has the most resource overhead. ^[1]^
+
+|`None`
+|No requests are logged; even OAuth access token requests and OAuth authorize token requests are not logged.
+
+[WARNING]
+====
+It is not recommended to disable audit logging by using the `None` profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue in order to troubleshoot properly.
+====
+
 |===
 [.small]
 --

modules/nodes-nodes-audit-policy-custom.adoc

@@ -0,0 +1,73 @@
+// Module included in the following assemblies:
+//
+// * security/audit-log-policy-config.adoc
+
+[id="configuring-audit-policy-custom_{context}"]
+= Configuring the audit log policy with custom rules
+
+You can configure an audit log policy that defines custom rules. You can specify multiple groups and define which profile to use for that group.
+
+These custom rules take precedence over the top-level profile field. The custom rules are evaluated from top to bottom, and the first that matches is applied.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+.Procedure
+
+. Edit the `APIServer` resource:
++
+[source,terminal]
+----
+$ oc edit apiserver cluster
+----
+
+. Add the `spec.audit.customRules` field:
++
+[source,yaml]
+----
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+...
+spec:
+  audit:
+    customRules:                        <1>
+    - group: system:authenticated:oauth
+      profile: WriteRequestBodies
+    - group: system:authenticated
+      profile: AllRequestBodies
+    profile: Default                    <2>
+----
+<1> Add one or more groups and specify the profile to use for that group. These custom rules take precedence over the top-level profile field. The custom rules are evaluated from top to bottom, and the first that matches is applied.
+<2> Set to `Default`, `WriteRequestBodies`, `AllRequestBodies`, or `None`. If you do not set this top-level `audit.profile` field, it defaults to the `Default` profile.
++
+[WARNING]
+====
+It is not recommended to disable audit logging by using the `None` profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue in order to troubleshoot properly.
+====
+
+. Save the file to apply the changes.
+
+.Verification
+
+* Verify that a new revision of the Kubernetes API server pods is rolled out. It can take several minutes for all nodes to update to the new revision.
++
+[source,terminal]
+----
+$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
+----
++
+Review the `NodeInstallerProgressing` status condition for the Kubernetes API server to verify that all nodes are at the latest revision. The output shows `AllNodesAtLatestRevision` upon successful update:
++
+[source,terminal]
+----
+AllNodesAtLatestRevision
+3 nodes are at revision 12 <1>
+----
+<1> In this example, the latest revision number is `12`.
++
+If the output shows a message similar to one of the following messages, the update is still in progress. Wait a few minutes and try again.
+
+** `3 nodes are at revision 11; 0 nodes have achieved new revision 12`
+** `2 nodes are at revision 11; 1 nodes are at revision 12`

modules/nodes-nodes-audit-policy-disable.adoc

@@ -0,0 +1,69 @@
+// Module included in the following assemblies:
+//
+// * security/audit-log-policy-config.adoc
+
+[id="configuring-audit-policy-disable_{context}"]
+= Disabling audit logging
+
+You can disable audit logging for {product-title}. When you disable audit logging, even OAuth access token requests and OAuth authorize token requests are not logged.
+
+[WARNING]
+====
+It is not recommended to disable audit logging by using the `None` profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue in order to troubleshoot properly.
+====
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+.Procedure
+
+. Edit the `APIServer` resource:
++
+[source,terminal]
+----
+$ oc edit apiserver cluster
+----
+
+. Set the `spec.audit.profile` field to `None`:
++
+[source,yaml]
+----
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+...
+spec:
+  audit:
+    profile: None
+----
++
+[NOTE]
+====
+You can also disable audit logging only for specific groups by specifying custom rules in the `spec.audit.customRules` field.
+====
+
+. Save the file to apply the changes.
+
+.Verification
+
+* Verify that a new revision of the Kubernetes API server pods is rolled out. It can take several minutes for all nodes to update to the new revision.
++
+[source,terminal]
+----
+$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
+----
++
+Review the `NodeInstallerProgressing` status condition for the Kubernetes API server to verify that all nodes are at the latest revision. The output shows `AllNodesAtLatestRevision` upon successful update:
++
+[source,terminal]
+----
+AllNodesAtLatestRevision
+3 nodes are at revision 12 <1>
+----
+<1> In this example, the latest revision number is `12`.
++
+If the output shows a message similar to one of the following messages, the update is still in progress. Wait a few minutes and try again.
+
+** `3 nodes are at revision 11; 0 nodes have achieved new revision 12`
+** `2 nodes are at revision 11; 1 nodes are at revision 12`

modules/nodes-nodes-audit-policy.adoc

@@ -24,19 +24,26 @@ $ oc edit apiserver cluster
 +
 [source,yaml]
 ----
-  apiVersion: config.openshift.io/v1
-  kind: APIServer
-  metadata:
-  ...
-  spec:
-    audit:
-      profile: WriteRequestBodies <1>
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+...
+spec:
+  audit:
+    profile: WriteRequestBodies    <1>
 ----
-<1> Set to `Default`, `WriteRequestBodies`, or `AllRequestBodies`. The default profile is `Default`.
+<1> Set to `Default`, `WriteRequestBodies`, `AllRequestBodies`, or `None`. The default profile is `Default`.
++
+[WARNING]
+====
+It is not recommended to disable audit logging by using the `None` profile unless you are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. If you disable audit logging and a support situation arises, you might need to enable audit logging and reproduce the issue in order to troubleshoot properly.
+====
 
 . Save the file to apply the changes.
 
-. Verify that a new revision of the Kubernetes API server pods has rolled out. This will take several minutes.
+.Verification
+
+* Verify that a new revision of the Kubernetes API server pods is rolled out. It can take several minutes for all nodes to update to the new revision.
 +
 [source,terminal]
 ----
@@ -52,7 +59,7 @@ AllNodesAtLatestRevision
 ----
 <1> In this example, the latest revision number is `12`.
 +
-If the output shows a message similar to one of the following, this means that the update is still in progress. Wait a few minutes and try again.
+If the output shows a message similar to one of the following messages, the update is still in progress. Wait a few minutes and try again.
 
 ** `3 nodes are at revision 11; 0 nodes have achieved new revision 12`
 ** `2 nodes are at revision 11; 1 nodes are at revision 12`

security/audit-log-policy-config.adoc

@@ -12,3 +12,9 @@ include::modules/nodes-nodes-audit-config-about.adoc[leveloffset=+1]
 
 // Configuring the audit log policy
 include::modules/nodes-nodes-audit-policy.adoc[leveloffset=+1]
+
+// Configuring the audit log policy with custom rules
+include::modules/nodes-nodes-audit-policy-custom.adoc[leveloffset=+1]
+
+// Disabling audit logging
+include::modules/nodes-nodes-audit-policy-disable.adoc[leveloffset=+1]