OPA Gatekeeper (OPA)

Toutes les opérations via l'API Kubernetes

Schéma des journaux : API KRM

Champs de l'entrée de journal contenant des informations d'audit
Métadonnées d'audit Nom du champ d'audit Valeur
Identité de l'utilisateur ou du service user 

"user": {
  "groups": [
    "system:authenticated"
  ],
  "username": "fop-platform-admin@example.com"
},
"annotations": {
  "authorization.k8s.io/decision": "allow",
  "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"project-creator-binding\" of ClusterRole \"project-creator\" to Group \"system:authenticated\""
}

Cible

(Champs et valeurs qui appellent l'API)

 objectRef 

"objectRef": {
  "apiVersion": "v1",
  "name": "app1-project",
  "resource": "projects",
  "namespace": "gpc-system",
  "apiGroup": "resourcemanager.gdc.goog"
}

Action

(Champs contenant l'opération effectuée)

 verb 

"verb": "create"
Code temporel de l'événement requestReceivedTimestamp 

"requestReceivedTimestamp": "2022-12-09T23:51:56.997825Z"
Source de l'action sourceIPs 

"sourceIPs": [
  "10.200.0.2"
]
Résultat responseStatus 

"responseStatus": {
  "code": 403,
  "status": "Failure",
  "metadata": {},
  "message": "admission webhook \"validation.gatekeeper.sh\" denied the request: [restrictprojectaccess] username  with groups <[\"system:authenticated\"]> is not allowed for this resource ",
  "reason": "[restrictprojectaccess] username  with groups <[\"system:authenticated\"]> is not allowed for this resource "
}
Autres champs responseStatus_message 

"responseStatus": {
  "code": 403,
  "status": "Failure",
  "metadata": {},
  "message": "admission webhook \"validation.gatekeeper.sh\" denied the request: [restrictprojectaccess] username  with groups <[\"system:authenticated\"]> is not allowed for this resource ",
  "reason": "[restrictprojectaccess] username  with groups <[\"system:authenticated\"]> is not allowed for this resource "
}

Exemple de journal KRM API

{
  "sourceIPs": [
    "10.200.0.2"
  ],
  "_gdch_cluster": "root-admin",
  "objectRef": {
    "apiVersion": "v1",
    "name": "app1-project",
    "resource": "projects",
    "namespace": "gpc-system",
    "apiGroup": "resourcemanager.gdc.goog"
  },
  "kind": "Event",
  "level": "Metadata",
  "apiVersion": "audit.k8s.io/v1",
  "auditID": "3611358c-f8b0-4780-9268-950eccc5881a",
  "stage": "ResponseComplete",
  "requestURI": "/apis/resourcemanager.gdc.goog/v1/namespaces/gpc-system/projects?fieldManager=kubectl-client-side-apply&fieldValidation=Strict",
  "verb": "create",
  "requestReceivedTimestamp": "2022-12-09T23:51:56.997825Z",
  "responseStatus": {
    "code": 403,
    "status": "Failure",
    "metadata": {},
    "message": "admission webhook \"validation.gatekeeper.sh\" denied the request: [restrictprojectaccess] username <fop-platform-admin@example.com> with groups <[\"system:authenticated\"]> is not allowed for this resource <Project/app1-project>",
    "reason": "[restrictprojectaccess] username <fop-platform-admin@example.com> with groups <[\"system:authenticated\"]> is not allowed for this resource <Project/app1-project>"
  },
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-b9kk4",
  "stageTimestamp": "2022-12-09T23:51:57.015134Z",
  "userAgent": "kubectl/v1.25.4 (linux/amd64) kubernetes/872a965",
  "user": {
    "groups": [
      "system:authenticated"
    ],
    "username": "fop-platform-admin@example.com"
  },
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"project-creator-binding\" of ClusterRole \"project-creator\" to Group \"system:authenticated\""
  },
  "_gdch_service_name": "apiserver"
}

Démarrer un processus d'audit

Schéma des journaux : Gatekeeper

Champs de l'entrée de journal contenant des informations d'audit
Métadonnées d'audit Nom du champ d'audit Valeur
Identité de l'utilisateur ou du service Non applicable

Cible

(Champs et valeurs qui appellent l'API)

 process 

\"process\":\"audit\"

Action

(Champs contenant l'opération effectuée)

 event_type 

\"event_type\":\"audit_started\"
Code temporel de l'événement audit_id 

\"audit_id\":\"2022-12-13T23:07:11Z\"
Source de l'action pod_name 

"pod_name": "gatekeeper-audit-b7 65495d8-tb4kc"
Outcome msg 

\"msg\":\"auditing constraints and violations\"
Autres champs Non applicable

Terminer une procédure d'audit

Schéma des journaux : Gatekeeper

Champs de l'entrée de journal contenant des informations d'audit
Métadonnées d'audit Nom du champ d'audit Valeur
Identité de l'utilisateur ou du service Non applicable

Cible

(Champs et valeurs qui appellent l'API)

 process 

\"process\":\"audit\"

Action

(Champs contenant l'opération effectuée)

 event_type 

\"event_type\":\"audit_finished\"
Code temporel de l'événement audit_id 

\"audit_id\":\"2022-12-13T23:05:32Z\"
Source de l'action pod_name 

"pod_name": "gatekeeper-audit-b765495d8-tb4k c"
Outcome msg 

\"msg\":\"auditing is complete\"
Autres champs Non applicable

Non-respect des règles d'audit

Schéma du journal : Gatekeeper

Champs de l'entrée de journal contenant des informations d'audit
Métadonnées d'audit Nom du champ d'audit Valeur
Identité de l'utilisateur ou du service details 

\"details\":{\"missing_labels\":[\"gatekeeper\"]}

Cible

(Champs et valeurs qui appellent l'API)

 process 

\"process\":\"audit\"

Action

(Champs contenant l'opération effectuée)

 event_type 

\"event_type\":\"violation_audited\"
Code temporel de l'événement audit_id 

\"audit_id\":\"2022-12-13T23:07:11Z\"
Source de l'action pod_name 

"pod_name": "gatekeeper-audit-b765495d8-tb4kc"
Résultat msg 

\"msg\":\"you must provide labels: {\\\"gatekeeper\\\"}\"
Autres champs Non applicable

Contrainte d'audit

Schéma des journaux : Gatekeeper

Champs de l'entrée de journal contenant des informations d'audit
Métadonnées d'audit Nom du champ d'audit Valeur
Identité de l'utilisateur ou du service constraint_name 

\"constraint_name\":\"ns-must-have-gk\"

Cible

(Champs et valeurs qui appellent l'API)

 process 

\"process\":\"audit\"

Action

(Champs contenant l'opération effectuée)

 event_type 

\"event_type\":\"constraint_audited\"
Code temporel de l'événement audit_id 

\"audit_id\":\"2022-12-13T23:07:11Z\"
Source de l'action pod_name 

"pod_name": "gatekeeper-audit-b 765495d8-tb4kc"
Résultat msg 

\"msg\":\"audit results for constraint\"
Autres champs Non applicable

Exemple de journal Gatekeeper

{
  "stream":"stderr",
  "logtag":"F",
  "log":"{
    \"level\":\"info\",
    \"ts\":1670972934.0394588,
    \"logger\":\"controller\",
    \"msg\":\"audit results for constraint\",
    \"process\":\"audit\",
    \"audit_id\":\"2022-12-13T23:07:11Z\",
    \"event_type\":\"constraint_audited\",
    \"constraint_group\":\"constraints.gatekeeper.sh \",
    \"constraint_api_version\":\"v1\",
    \"constraint_kind\":\"K8sRequiredLabels\",
    \"constraint_name\":\"ns-must-have-gk\",
    \"constraint_namespace\":\"\",
    \"constraint_action\":\"deny\",
    \"constraint_status\":\"enforced\",
    \"constraint_violations\":\"64\"
    }",
  "kubernetes":{
    "pod_name": "gatekeeper-audit-b 765495d8-tb4kc",
    "namespace_name":"gatekeeper-system",
    "pod_id":"3c75b257-0917-4575-bb69-ab5eb6f5839d",
    "labels":{
      "app": "gatekeeper",
      "chart": "gatekeeper",
      "control-plane":"audit-controller",
      "gatekeeper.sh/operation":"audit",
      "gatekeeper.sh/system": "yes",
      "heritage" : "Helm",
      "pod-template-hash": "b765495d 8",
      "release":"gatekeeper"
      },
    "host": "gpc-adhoc-2801b240vm-worker-node2",
    "container_name": "manager",
    "docker_id":"33f7eb658cb7a17c50ce917dcc727628bc40ea7d160fb1a20d0d61ae4e51b473",
    "container_hash": "gcr.io/private-cloud-staging/gatekeeper@sha256:5d91735b2378723a74930cdff2298efeea6f6bebc8ea9dd0106bfdb067f5a07d", "container_image": "gcr.io/private-cloud-staging/gatekeeper: v3.7.0"
    },
  "_gdch_tenant_id":"infra-obs"
}