envoyproxy/envoy

Add audit log for configuration updates

Open

#6936 aperta il 14 mag 2019

Vedi su GitHub
 (2 commenti) (0 reazioni) (0 assegnatari)C++ (5373 fork)batch import
design proposalhelp wanted

Metriche repository

Star
 (27.997 star)
Metriche merge PR
 (Merge medio 8g) (378 PR mergiate in 30 g)

Descrizione

Title: Add audit log for configuration updates

Context:

In enterprise environment it is often necessary to track compliance with internal policies. E.g.,

  • support a particular TLS cipher suite
  • enforce a particular SSO method
  • enforce RBAC consistently
  • etc

If a violation is detected, it is usually important to be able to answer for how long the issue has been in place.

Proposal:

  • Add audit log for configuration updates (to record snapshots of applied xDS configuration)

Example use cases:

  • Maintain a log of all LDS changes (open ports, TLS settings, filters chain, AuthN settings, AuthZ settings)
  • Sink audit log into a tool that automates policy checks (i.e., Falco)

Anticipated scope of changes:

  • Add AuditLog API for use by system components to record audit events
  • Instrument system components to record audit events, e.g. ListenerManager, ClusterManager, etc
  • Define a configuration schema to govern Audit Log
    • Which xDS resources to record ?
    • What to do with recorded audit events ?
  • Add a new extension kind - Audit Log Sink
  • Define a schema for gRPC/HTTP service to send recorded audit events to
  • Add an implementation of Audit Log Sink that streams recorded audit events to a gRPC/HTTP service
  • Support dynamic changes to Audit Log configuration

Guida contributor