envoyproxy/envoy

Add audit log for configuration updates

Open

#6,936 创建于 2019年5月14日

在 GitHub 查看
 (2 评论) (0 反应) (0 负责人)C++ (5,373 fork)batch import
design proposalhelp wanted

仓库指标

Star
 (27,997 star)
PR 合并指标
 (平均合并 8天) (30 天内合并 378 个 PR)

描述

Title: Add audit log for configuration updates

Context:

In enterprise environment it is often necessary to track compliance with internal policies. E.g.,

  • support a particular TLS cipher suite
  • enforce a particular SSO method
  • enforce RBAC consistently
  • etc

If a violation is detected, it is usually important to be able to answer for how long the issue has been in place.

Proposal:

  • Add audit log for configuration updates (to record snapshots of applied xDS configuration)

Example use cases:

  • Maintain a log of all LDS changes (open ports, TLS settings, filters chain, AuthN settings, AuthZ settings)
  • Sink audit log into a tool that automates policy checks (i.e., Falco)

Anticipated scope of changes:

  • Add AuditLog API for use by system components to record audit events
  • Instrument system components to record audit events, e.g. ListenerManager, ClusterManager, etc
  • Define a configuration schema to govern Audit Log
    • Which xDS resources to record ?
    • What to do with recorded audit events ?
  • Add a new extension kind - Audit Log Sink
  • Define a schema for gRPC/HTTP service to send recorded audit events to
  • Add an implementation of Audit Log Sink that streams recorded audit events to a gRPC/HTTP service
  • Support dynamic changes to Audit Log configuration

贡献者指南