design proposalhelp wanted
Repository metrics
- Stars
- (27,997 stars)
- PR merge metrics
- (平均マージ 8d) (30d で 378 merged PRs)
説明
Title: Add audit log for configuration updates
Context:
In enterprise environment it is often necessary to track compliance with internal policies. E.g.,
- support a particular TLS cipher suite
- enforce a particular SSO method
- enforce RBAC consistently
- etc
If a violation is detected, it is usually important to be able to answer for how long the issue has been in place.
Proposal:
- Add audit log for configuration updates (to record snapshots of applied xDS configuration)
Example use cases:
- Maintain a log of all LDS changes (open ports, TLS settings, filters chain, AuthN settings, AuthZ settings)
- Sink audit log into a tool that automates policy checks (i.e., Falco)
Anticipated scope of changes:
- Add
AuditLogAPI for use by system components to record audit events - Instrument system components to record audit events, e.g. ListenerManager, ClusterManager, etc
- Define a configuration schema to govern Audit Log
- Which xDS resources to record ?
- What to do with recorded audit events ?
- Add a new extension kind -
Audit Log Sink - Define a schema for gRPC/HTTP service to send recorded audit events to
- Add an implementation of
Audit Log Sinkthat streams recorded audit events to a gRPC/HTTP service - Support dynamic changes to Audit Log configuration