design proposalhelp wanted
Métricas do repositório
- Stars
- (27.997 stars)
- Métricas de merge de PR
- (Mesclagem média 8d) (378 fundiu PRs em 30d)
Description
Title: Add audit log for configuration updates
Context:
In enterprise environment it is often necessary to track compliance with internal policies. E.g.,
- support a particular TLS cipher suite
- enforce a particular SSO method
- enforce RBAC consistently
- etc
If a violation is detected, it is usually important to be able to answer for how long the issue has been in place.
Proposal:
- Add audit log for configuration updates (to record snapshots of applied xDS configuration)
Example use cases:
- Maintain a log of all LDS changes (open ports, TLS settings, filters chain, AuthN settings, AuthZ settings)
- Sink audit log into a tool that automates policy checks (i.e., Falco)
Anticipated scope of changes:
- Add
AuditLogAPI for use by system components to record audit events - Instrument system components to record audit events, e.g. ListenerManager, ClusterManager, etc
- Define a configuration schema to govern Audit Log
- Which xDS resources to record ?
- What to do with recorded audit events ?
- Add a new extension kind -
Audit Log Sink - Define a schema for gRPC/HTTP service to send recorded audit events to
- Add an implementation of
Audit Log Sinkthat streams recorded audit events to a gRPC/HTTP service - Support dynamic changes to Audit Log configuration