envoyproxy/envoy

Add audit log for configuration updates

Open

#6,936 建立於 2019年5月14日

在 GitHub 查看
 (2 留言) (0 反應) (0 負責人)C++ (5,373 fork)batch import
design proposalhelp wanted

倉庫指標

Star
 (27,997 star)
PR 合併指標
 (平均合併 8天) (30 天內合併 378 個 PR)

描述

Title: Add audit log for configuration updates

Context:

In enterprise environment it is often necessary to track compliance with internal policies. E.g.,

  • support a particular TLS cipher suite
  • enforce a particular SSO method
  • enforce RBAC consistently
  • etc

If a violation is detected, it is usually important to be able to answer for how long the issue has been in place.

Proposal:

  • Add audit log for configuration updates (to record snapshots of applied xDS configuration)

Example use cases:

  • Maintain a log of all LDS changes (open ports, TLS settings, filters chain, AuthN settings, AuthZ settings)
  • Sink audit log into a tool that automates policy checks (i.e., Falco)

Anticipated scope of changes:

  • Add AuditLog API for use by system components to record audit events
  • Instrument system components to record audit events, e.g. ListenerManager, ClusterManager, etc
  • Define a configuration schema to govern Audit Log
    • Which xDS resources to record ?
    • What to do with recorded audit events ?
  • Add a new extension kind - Audit Log Sink
  • Define a schema for gRPC/HTTP service to send recorded audit events to
  • Add an implementation of Audit Log Sink that streams recorded audit events to a gRPC/HTTP service
  • Support dynamic changes to Audit Log configuration

貢獻者指南