envoyproxy/envoy

Add audit log for configuration updates

Open

#6.936 aberto em 14 de mai. de 2019

Ver no GitHub
 (2 comments) (0 reactions) (0 assignees)C++ (5.373 forks)batch import
design proposalhelp wanted

Métricas do repositório

Stars
 (27.997 stars)
Métricas de merge de PR
 (Mesclagem média 8d) (378 fundiu PRs em 30d)

Description

Title: Add audit log for configuration updates

Context:

In enterprise environment it is often necessary to track compliance with internal policies. E.g.,

  • support a particular TLS cipher suite
  • enforce a particular SSO method
  • enforce RBAC consistently
  • etc

If a violation is detected, it is usually important to be able to answer for how long the issue has been in place.

Proposal:

  • Add audit log for configuration updates (to record snapshots of applied xDS configuration)

Example use cases:

  • Maintain a log of all LDS changes (open ports, TLS settings, filters chain, AuthN settings, AuthZ settings)
  • Sink audit log into a tool that automates policy checks (i.e., Falco)

Anticipated scope of changes:

  • Add AuditLog API for use by system components to record audit events
  • Instrument system components to record audit events, e.g. ListenerManager, ClusterManager, etc
  • Define a configuration schema to govern Audit Log
    • Which xDS resources to record ?
    • What to do with recorded audit events ?
  • Add a new extension kind - Audit Log Sink
  • Define a schema for gRPC/HTTP service to send recorded audit events to
  • Add an implementation of Audit Log Sink that streams recorded audit events to a gRPC/HTTP service
  • Support dynamic changes to Audit Log configuration

Guia do colaborador