envoyproxy/envoy

Add audit log for configuration updates

Open

#6,936 opened on 2019年5月14日

GitHub で見る
 (2 comments) (0 reactions) (0 assignees)C++ (5,373 forks)batch import
design proposalhelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (平均マージ 8d) (30d で 378 merged PRs)

説明

Title: Add audit log for configuration updates

Context:

In enterprise environment it is often necessary to track compliance with internal policies. E.g.,

  • support a particular TLS cipher suite
  • enforce a particular SSO method
  • enforce RBAC consistently
  • etc

If a violation is detected, it is usually important to be able to answer for how long the issue has been in place.

Proposal:

  • Add audit log for configuration updates (to record snapshots of applied xDS configuration)

Example use cases:

  • Maintain a log of all LDS changes (open ports, TLS settings, filters chain, AuthN settings, AuthZ settings)
  • Sink audit log into a tool that automates policy checks (i.e., Falco)

Anticipated scope of changes:

  • Add AuditLog API for use by system components to record audit events
  • Instrument system components to record audit events, e.g. ListenerManager, ClusterManager, etc
  • Define a configuration schema to govern Audit Log
    • Which xDS resources to record ?
    • What to do with recorded audit events ?
  • Add a new extension kind - Audit Log Sink
  • Define a schema for gRPC/HTTP service to send recorded audit events to
  • Add an implementation of Audit Log Sink that streams recorded audit events to a gRPC/HTTP service
  • Support dynamic changes to Audit Log configuration

コントリビューターガイド