Advanced Auditing Beta Changes

[timstclair]

As we work with the new "advanced auditing" API, we're noticing places where the API could be improved. I'm opening this issue to track all the changes we'd like to make to the API when it goes to beta.

API Changes:

• audit.Event.ObjectRef.APIVersion currently holds both the the API group and version, separated by a /. We should break these out into separate fields.
• Policy should be able to specify subresources. This could either be a separate field, or allow matching of / delimited resources (e.g. pods/status for the pods resource and status subresource)
• ( @ericchiang ) It would be useful to be able to specify resource names in the policy. E.g. ingress controller configmap. Resources in the [GroupResources]
  (

  kubernetes/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go

  Line 198 in 14cd03a

  type GroupResources struct {

  ) struct should be changed to a struct that includes Resource + ResourceNames (slice) + (Subresource)
• audit.Event.Metadata.CreationTimestamp shows up as null in the json serialized events we output, which looks sloppy. We should consider cleaning this up. One possibility is to get rid of the audit.Event.Timestamp field, and use CreationTimestamp.
• We want to omit the RequestReceived stage in GKE. The policy may be the right place to specify that.

Other Changes:

• feature gate AdvancedAuditing moves to beta and defaults to enabled

Postponed to post 1.8.0

• It would be nice to identify the server that sent the audit event, i.e. the aggregator vs. an end-user apiserver. Implementation TBD.

/cc @sttts @soltysh @ericchiang @ihmccreery

Feature: kubernetes/enhancements#22

[k8s-github-robot]

@timstclair There are no sig labels on this issue. Please add a sig label by:
(1) mentioning a sig: @kubernetes/sig-<team-name>-misc
e.g., @kubernetes/sig-api-machinery-* for API Machinery
(2) specifying the label manually: /sig <label>
e.g., /sig scalability for sig/scalability

Note: method (1) will trigger a notification to the team. You can find the team list here and label list here

[xiangpengzhao]

/sig api-machinery

[tallclair]

/cc @crassirostris

[CaoShuFeng]

I am very glad to implement the first one if no one has started it.

audit.Event.ObjectRef.APIVersion currently holds both the the API group and version, separated by a /. We should break these out into separate fields.

[tallclair]

Note that the first one is a breaking change, since it would mean we populate the APIVersion differently. I think it should be done in the transition to the Beta API, rather than an augment to the alpha API.