Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decouple Audit logging from the AntreaPolicy feature gate #5340

Closed
antoninbas opened this issue Aug 1, 2023 · 0 comments · Fixed by #5352
Closed

Decouple Audit logging from the AntreaPolicy feature gate #5340

antoninbas opened this issue Aug 1, 2023 · 0 comments · Fixed by #5352
Assignees
@qiyueyao
Labels
area/monitoring/auditing Issues or PRs related to auditing. area/network-policy Issues or PRs related to network policies. priority/backlog Higher priority than priority/awaiting-more-evidence.

Comments

@antoninbas
Copy link
Contributor

antoninbas commented Aug 1, 2023
edited
Loading

Not introduced by the PR, but shouldn't loggingEnabled always be true given logging can be enabled for K8s NetworkPolicy? @qiyueyao
If yes, we should make the struct name of AntreaPolicyLoggerOptions not specific to AntreaPolicy?

Originally posted by @tnqn in #5337 (comment)

At the moment, Audit logging is only enabled when the AntreaPolicy feature gate is enabled (which is the default):

antrea/cmd/antrea-agent/agent.go

Lines 430 to 442 in 5255b20

// In Antrea agent, status manager and audit logging will automatically be enabled
// if AntreaPolicy feature is enabled.
statusManagerEnabled := antreaPolicyEnabled
loggingEnabled := antreaPolicyEnabled
var auditLoggerOptions *networkpolicy.AntreaPolicyLoggerOptions
if loggingEnabled {
auditLoggerOptions = &networkpolicy.AntreaPolicyLoggerOptions{
MaxSize: int(o.config.AuditLogging.MaxSize),
MaxBackups: int(*o.config.AuditLogging.MaxBackups),
MaxAge: int(*o.config.AuditLogging.MaxAge),
Compress: *o.config.AuditLogging.Compress,
}
}

However, Audit logging can also be enabled for K8s NetworkPolicies (by annotating the Namespace in which the NPs are defined with an Antrea-specific annotation). So it should be possible for someone to leverage Audit logging for K8s NPs even when disabling the AntreaPolicy feature.

The naming of objects in pkg/agent/controller/networkpolicy/audit_logging.go could also be more generic, to avoid tying it to the AntreaPolicy feature.
@antoninbas antoninbas added priority/backlog Higher priority than priority/awaiting-more-evidence. area/monitoring/auditing Issues or PRs related to auditing. area/network-policy Issues or PRs related to network policies. labels Aug 1, 2023
qiyueyao added a commit to qiyueyao/antrea that referenced this issue Aug 3, 2023
@qiyueyao
Decouple Audit logging from AntreaPolicy
f73ff5d 
Currently Audit logging is controlled by AntreaPolicy
feature gate, but it also logs K8s NetworkPolicies.

This solution decouples Audit logging with the AntreaPolicy
feature gate and renames the related objects.

Fixes antrea-io#5340

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
@qiyueyao qiyueyao mentioned this issue Aug 3, 2023
Merged
@qiyueyao qiyueyao self-assigned this Aug 3, 2023
qiyueyao added a commit to qiyueyao/antrea that referenced this issue Aug 8, 2023
@qiyueyao
Decouple Audit logging from AntreaPolicy
d510190 
Currently Audit logging is controlled by AntreaPolicy
feature gate, but it also logs K8s NetworkPolicies.

This solution decouples Audit logging with the AntreaPolicy
feature gate and renames the related objects.

Fixes antrea-io#5340

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
qiyueyao added a commit to qiyueyao/antrea that referenced this issue Aug 18, 2023
@qiyueyao
Decouple Audit logging from AntreaPolicy
715d757 
Currently Audit logging is controlled by AntreaPolicy
feature gate, but it also logs K8s NetworkPolicies.

This solution decouples Audit logging with the AntreaPolicy
feature gate and renames the related objects.

Fixes antrea-io#5340

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
antoninbas pushed a commit that referenced this issue Aug 21, 2023
@qiyueyao
Decouple Audit logging from AntreaPolicy (#5352)
bd3c008 
Currently Audit logging is controlled by AntreaPolicy
feature gate, but it also logs K8s NetworkPolicies.

This solution decouples Audit logging with the AntreaPolicy
feature gate and renames the related objects.

Fixes #5340

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qiyueyao qiyueyao

Labels
area/monitoring/auditing Issues or PRs related to auditing. area/network-policy Issues or PRs related to network policies. priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Decouple Audit logging from AntreaPolicy feature gate qiyueyao/antrea
2 participants
@antoninbas @qiyueyao