design proposalhelp wanted
仓库指标
- Star
- (27,997 star)
- PR 合并指标
- (平均合并 8天) (30 天内合并 378 个 PR)
描述
Title: Add audit log for configuration updates
Context:
In enterprise environment it is often necessary to track compliance with internal policies. E.g.,
- support a particular TLS cipher suite
- enforce a particular SSO method
- enforce RBAC consistently
- etc
If a violation is detected, it is usually important to be able to answer for how long the issue has been in place.
Proposal:
- Add audit log for configuration updates (to record snapshots of applied xDS configuration)
Example use cases:
- Maintain a log of all LDS changes (open ports, TLS settings, filters chain, AuthN settings, AuthZ settings)
- Sink audit log into a tool that automates policy checks (i.e., Falco)
Anticipated scope of changes:
- Add
AuditLogAPI for use by system components to record audit events - Instrument system components to record audit events, e.g. ListenerManager, ClusterManager, etc
- Define a configuration schema to govern Audit Log
- Which xDS resources to record ?
- What to do with recorded audit events ?
- Add a new extension kind -
Audit Log Sink - Define a schema for gRPC/HTTP service to send recorded audit events to
- Add an implementation of
Audit Log Sinkthat streams recorded audit events to a gRPC/HTTP service - Support dynamic changes to Audit Log configuration