OPA Gatekeeper (OPA)

Semua operasi melalui Kubernetes API

Skema log: KRM API

Kolom dalam entri log yang berisi informasi audit
Metadata audit Nama kolom audit Nilai
Identitas pengguna atau layanan user 

"user": {
  "groups": [
    "system:authenticated"
  ],
  "username": "fop-platform-admin@example.com"
},
"annotations": {
  "authorization.k8s.io/decision": "allow",
  "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"project-creator-binding\" of ClusterRole \"project-creator\" to Group \"system:authenticated\""
}

Target

(Kolom dan nilai yang memanggil API)

 objectRef 

"objectRef": {
  "apiVersion": "v1",
  "name": "app1-project",
  "resource": "projects",
  "namespace": "gpc-system",
  "apiGroup": "resourcemanager.gdc.goog"
}

Tindakan

(Kolom yang berisi operasi yang dilakukan)

 verb 

"verb": "create"
Stempel waktu peristiwa requestReceivedTimestamp 

"requestReceivedTimestamp": "2022-12-09T23:51:56.997825Z"
Sumber tindakan sourceIPs 

"sourceIPs": [
  "10.200.0.2"
]
Hasil responseStatus 

"responseStatus": {
  "code": 403,
  "status": "Failure",
  "metadata": {},
  "message": "admission webhook \"validation.gatekeeper.sh\" denied the request: [restrictprojectaccess] username  with groups <[\"system:authenticated\"]> is not allowed for this resource ",
  "reason": "[restrictprojectaccess] username  with groups <[\"system:authenticated\"]> is not allowed for this resource "
}
Kolom lainnya responseStatus_message 

"responseStatus": {
  "code": 403,
  "status": "Failure",
  "metadata": {},
  "message": "admission webhook \"validation.gatekeeper.sh\" denied the request: [restrictprojectaccess] username  with groups <[\"system:authenticated\"]> is not allowed for this resource ",
  "reason": "[restrictprojectaccess] username  with groups <[\"system:authenticated\"]> is not allowed for this resource "
}

Contoh log KRM API

{
  "sourceIPs": [
    "10.200.0.2"
  ],
  "_gdch_cluster": "root-admin",
  "objectRef": {
    "apiVersion": "v1",
    "name": "app1-project",
    "resource": "projects",
    "namespace": "gpc-system",
    "apiGroup": "resourcemanager.gdc.goog"
  },
  "kind": "Event",
  "level": "Metadata",
  "apiVersion": "audit.k8s.io/v1",
  "auditID": "3611358c-f8b0-4780-9268-950eccc5881a",
  "stage": "ResponseComplete",
  "requestURI": "/apis/resourcemanager.gdc.goog/v1/namespaces/gpc-system/projects?fieldManager=kubectl-client-side-apply&fieldValidation=Strict",
  "verb": "create",
  "requestReceivedTimestamp": "2022-12-09T23:51:56.997825Z",
  "responseStatus": {
    "code": 403,
    "status": "Failure",
    "metadata": {},
    "message": "admission webhook \"validation.gatekeeper.sh\" denied the request: [restrictprojectaccess] username <fop-platform-admin@example.com> with groups <[\"system:authenticated\"]> is not allowed for this resource <Project/app1-project>",
    "reason": "[restrictprojectaccess] username <fop-platform-admin@example.com> with groups <[\"system:authenticated\"]> is not allowed for this resource <Project/app1-project>"
  },
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-b9kk4",
  "stageTimestamp": "2022-12-09T23:51:57.015134Z",
  "userAgent": "kubectl/v1.25.4 (linux/amd64) kubernetes/872a965",
  "user": {
    "groups": [
      "system:authenticated"
    ],
    "username": "fop-platform-admin@example.com"
  },
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"project-creator-binding\" of ClusterRole \"project-creator\" to Group \"system:authenticated\""
  },
  "_gdch_service_name": "apiserver"
}

Memulai proses audit

Skema log: Pemilah komunikasi

Kolom dalam entri log yang berisi informasi audit
Metadata audit Nama kolom audit Nilai
Identitas pengguna atau layanan Tidak berlaku

Target

(Kolom dan nilai yang memanggil API)

 process 

\"process\":\"audit\"

Tindakan

(Kolom yang berisi operasi yang dilakukan)

 event_type 

\"event_type\":\"audit_started\"
Stempel waktu peristiwa audit_id 

\"audit_id\":\"2022-12-13T23:07:11Z\"
Sumber tindakan pod_name 

"pod_name": "gatekeeper-audit-b7 65495d8-tb4kc"
Outcome msg 

\"msg\":\"auditing constraints and violations\"
Kolom lainnya Tidak berlaku

Menyelesaikan proses audit

Skema log: Pemilah komunikasi

Kolom dalam entri log yang berisi informasi audit
Metadata audit Nama kolom audit Nilai
Identitas pengguna atau layanan Tidak berlaku

Target

(Kolom dan nilai yang memanggil API)

 process 

\"process\":\"audit\"

Tindakan

(Kolom yang berisi operasi yang dilakukan)

 event_type 

\"event_type\":\"audit_finished\"
Stempel waktu peristiwa audit_id 

\"audit_id\":\"2022-12-13T23:05:32Z\"
Sumber tindakan pod_name 

"pod_name": "gatekeeper-audit-b765495d8-tb4k c"
Outcome msg 

\"msg\":\"auditing is complete\"
Kolom lainnya Tidak berlaku

Pelanggaran audit

Skema log:Gatekeeper

Kolom dalam entri log yang berisi informasi audit
Metadata audit Nama kolom audit Nilai
Identitas pengguna atau layanan details 

\"details\":{\"missing_labels\":[\"gatekeeper\"]}

Target

(Kolom dan nilai yang memanggil API)

 process 

\"process\":\"audit\"

Tindakan

(Kolom yang berisi operasi yang dilakukan)

 event_type 

\"event_type\":\"violation_audited\"
Stempel waktu peristiwa audit_id 

\"audit_id\":\"2022-12-13T23:07:11Z\"
Sumber tindakan pod_name 

"pod_name": "gatekeeper-audit-b765495d8-tb4kc"
Hasil msg 

\"msg\":\"you must provide labels: {\\\"gatekeeper\\\"}\"
Kolom lainnya Tidak berlaku

Batasan audit

Skema log: Pemilah komunikasi

Kolom dalam entri log yang berisi informasi audit
Metadata audit Nama kolom audit Nilai
Identitas pengguna atau layanan constraint_name 

\"constraint_name\":\"ns-must-have-gk\"

Target

(Kolom dan nilai yang memanggil API)

 process 

\"process\":\"audit\"

Tindakan

(Kolom yang berisi operasi yang dilakukan)

 event_type 

\"event_type\":\"constraint_audited\"
Stempel waktu peristiwa audit_id 

\"audit_id\":\"2022-12-13T23:07:11Z\"
Sumber tindakan pod_name 

"pod_name": "gatekeeper-audit-b 765495d8-tb4kc"
Hasil msg 

\"msg\":\"audit results for constraint\"
Kolom lainnya Tidak berlaku

Contoh log Gatekeeper

{
  "stream":"stderr",
  "logtag":"F",
  "log":"{
    \"level\":\"info\",
    \"ts\":1670972934.0394588,
    \"logger\":\"controller\",
    \"msg\":\"audit results for constraint\",
    \"process\":\"audit\",
    \"audit_id\":\"2022-12-13T23:07:11Z\",
    \"event_type\":\"constraint_audited\",
    \"constraint_group\":\"constraints.gatekeeper.sh \",
    \"constraint_api_version\":\"v1\",
    \"constraint_kind\":\"K8sRequiredLabels\",
    \"constraint_name\":\"ns-must-have-gk\",
    \"constraint_namespace\":\"\",
    \"constraint_action\":\"deny\",
    \"constraint_status\":\"enforced\",
    \"constraint_violations\":\"64\"
    }",
  "kubernetes":{
    "pod_name": "gatekeeper-audit-b 765495d8-tb4kc",
    "namespace_name":"gatekeeper-system",
    "pod_id":"3c75b257-0917-4575-bb69-ab5eb6f5839d",
    "labels":{
      "app": "gatekeeper",
      "chart": "gatekeeper",
      "control-plane":"audit-controller",
      "gatekeeper.sh/operation":"audit",
      "gatekeeper.sh/system": "yes",
      "heritage" : "Helm",
      "pod-template-hash": "b765495d 8",
      "release":"gatekeeper"
      },
    "host": "gpc-adhoc-2801b240vm-worker-node2",
    "container_name": "manager",
    "docker_id":"33f7eb658cb7a17c50ce917dcc727628bc40ea7d160fb1a20d0d61ae4e51b473",
    "container_hash": "gcr.io/private-cloud-staging/gatekeeper@sha256:5d91735b2378723a74930cdff2298efeea6f6bebc8ea9dd0106bfdb067f5a07d", "container_image": "gcr.io/private-cloud-staging/gatekeeper: v3.7.0"
    },
  "_gdch_tenant_id":"infra-obs"
}