design proposalhelp wanted
Metriche repository
- Star
- (27.997 star)
- Metriche merge PR
- (Merge medio 8g) (378 PR mergiate in 30 g)
Descrizione
Title: Add audit log for configuration updates
Context:
In enterprise environment it is often necessary to track compliance with internal policies. E.g.,
- support a particular TLS cipher suite
- enforce a particular SSO method
- enforce RBAC consistently
- etc
If a violation is detected, it is usually important to be able to answer for how long the issue has been in place.
Proposal:
- Add audit log for configuration updates (to record snapshots of applied xDS configuration)
Example use cases:
- Maintain a log of all LDS changes (open ports, TLS settings, filters chain, AuthN settings, AuthZ settings)
- Sink audit log into a tool that automates policy checks (i.e., Falco)
Anticipated scope of changes:
- Add
AuditLogAPI for use by system components to record audit events - Instrument system components to record audit events, e.g. ListenerManager, ClusterManager, etc
- Define a configuration schema to govern Audit Log
- Which xDS resources to record ?
- What to do with recorded audit events ?
- Add a new extension kind -
Audit Log Sink - Define a schema for gRPC/HTTP service to send recorded audit events to
- Add an implementation of
Audit Log Sinkthat streams recorded audit events to a gRPC/HTTP service - Support dynamic changes to Audit Log configuration