top of page

Enhancing Security in OpenShift with Custom Audit Log Policies





Introduction


Monitoring activity and tracking changes within your Kubernetes-based applications is crucial for maintaining security and ensuring smooth operations. OpenShift Container Platform 4.12, developed by Red Hat, provides a powerful environment for deploying and managing containerized applications. In this blog post, we’ll explore how to create custom audit log policies in OpenShift to log specific events and provide insights that help you identify potential security risks.


Understanding Audit Log Policies in OpenShift


By default, OpenShift records requests made to the kube-apiserver using audit logs. These logs are generated based on an audit policy, which defines the rules for logging actions performed within the cluster. The default policy logs metadata only, but you can create custom policies to log additional information.


There are four audit levels you can set in your policy:

  1. None: No logging

  2. Metadata: Logs request metadata but not request or response body

  3. Request: Logs request metadata and request body, but not the response body

  4. RequestResponse: Logs request and response metadata, as well as request and response body

A custom audit policy is organized into rules, which match specific resources, non-resource URLs, users, and groups. You can also use wildcards to match multiple items.


Industry Example: Configuring Custom Audit Log Policies for a Financial Institution


Let’s assume you work for a financial institution that uses OpenShift to manage its containerized applications. To ensure compliance with financial regulations and protect sensitive data, you need to create a custom audit policy that logs specific events and request/response details.


Here’s how you can configure a custom audit policy in OpenShift:


  1. Create a YAML file with your custom policy rules. In this example, the policy will log request and response bodies for all actions performed on resources related to transactions and user profiles.

Below is a sample YAML file for a custom audit policy. Keep in mind that you should modify the apiGroups, resources, and namespaces to match your specific application's resources and requirements.


apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  # Log metadata for all requests
  - level: Metadata

  # Log request and response bodies for transactions-related resources
  - level: RequestResponse
    resources:
      - group: "your-api-group"
        resources: ["transactions"]
    namespaces: ["your-transaction-namespace"]

  # Log request and response bodies for user-profiles-related resources
  - level: RequestResponse
    resources:
      - group: "your-api-group"
        resources: ["user-profiles"]
    namespaces: ["your-user-profile-namespace"]

Make sure to replace the placeholders your-api-group, your-transaction-namespace, and your-user-profile-namespace with the appropriate values that correspond to your application's resource groups and namespaces. This example assumes that your transactions and user profiles are represented as custom resources in your cluster.


2. Create a ConfigMap from the YAML file. Upload the file to your OpenShift cluster using the ‘oc’ command-line tool or the web console.


To create a ConfigMap from the YAML file, first save the custom audit policy YAML file locally. For this example, let’s name it custom_audit_policy.yaml. Then, use the oc command-line tool to create the ConfigMap in your OpenShift cluster. Execute the following command:


oc create configmap custom-audit-policy --from-file=policy.yaml=custom_audit_policy.yaml -n openshift-config

This command creates a ConfigMap named custom-audit-policy in the openshift-config namespace using the contents of the custom_audit_policy.yaml file. The key for the audit policy within the ConfigMap is set to policy.yaml.


Once the ConfigMap is created, you can view its details by running:


oc get configmap custom-audit-policy -n openshift-config -o yaml

This will display the ConfigMap details, including the audit policy configuration under the data field.


Here is an example of a ConfigMap YAML file created from a custom audit policy. This is how the ConfigMap would look after it was created using the oc create configmap


apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-audit-policy
  namespace: openshift-config
data:
  policy.yaml: |
    apiVersion: audit.k8s.io/v1
    kind: Policy
    rules:
      # Log metadata for all requests
      - level: Metadata

      # Log request and response bodies for transactions-related resources
      - level: RequestResponse
        resources:
          - group: "your-api-group"
            resources: ["transactions"]
        namespaces: ["your-transaction-namespace"]

      # Log request and response bodies for user-profiles-related resources
      - level: RequestResponse
        resources:
          - group: "your-api-group"
            resources: ["user-profiles"]
        namespaces: ["your-user-profile-namespace"]

In this example, the custom audit policy is embedded as a string under the data field with the key policy.yaml. The metadata section specifies the name of the ConfigMap (custom-audit-policy) and the namespace it resides in (openshift-config).


3. Edit the kube-apiserver configuration to use the custom policy. Update the configuration to reference the ConfigMap you created in step 2.


To edit the kube-apiserver configuration to use the custom audit policy, you’ll need to modify the kubeAPIServer field of the APIServer custom resource in the openshift-config namespace. Follow these steps:


  1. First, export the current APIServer configuration to a YAML file:

oc get apiserver cluster -o yaml > apiserver.yaml

2. Open the apiserver.yaml file with a text editor and locate the spec field. If a kubeAPIServer field does not already exist, add it under the spec field. Then, add or modify the audit section to reference the custom-audit-policy ConfigMap you created earlier:


apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
  name: cluster
spec:
  kubeAPIServer:
    audit:
      profile: Custom
      customRules:
        name: custom-audit-policy
        key: policy.yaml

In this example, the profile field is set to Custom, and the customRules field specifies the name and key of the ConfigMap containing the custom audit policy.


3. Apply the updated APIServer configuration


oc apply -f apiserver.yaml

This command will update the kube-apiserver configuration to use the custom audit policy. The kube-apiserver will automatically restart and apply the new policy. Once it is running with the new configuration, you’ll see the custom audit logs being generated according to the rules you specified in your custom audit policy YAML file.


4. Save the changes and restart the kube-apiserver to apply the new policy.


In OpenShift Container Platform, you don’t need to manually restart the kube-apiserver after applying the new policy. The changes will be applied automatically once you update the APIServer custom resource with the custom audit policy.


As described in the previous answer, after editing the apiserver.yaml file, you apply the updated configuration using the following command:


oc apply -f apiserver.yaml

Once this command is executed, the OpenShift cluster will automatically apply the updated configuration and restart the kube-apiserver as needed. The custom audit policy will take effect, and you’ll start seeing the custom audit logs being generated according to the rules you specified in your custom audit policy YAML file.


Keep in mind that it may take a few moments for the changes to be applied and for the kube-apiserver to restart. You can monitor the kube-apiserver status by running the following command:


oc get pods -n openshift-kube-apiserver

When the kube-apiserver pods show a Running status, it means the new custom audit policy is in effect.


By following these steps, you’ll have a custom audit policy in place that logs the required information to meet industry regulations and protect your organization’s data.


Conclusion


Custom audit log policies in OpenShift Container Platform 4.12 provide a flexible way to monitor cluster activity, track changes, and identify potential security risks. By tailoring the audit policy to your organization’s specific needs and industry requirements, you can ensure that your containerized applications remain secure and compliant.


We hope this blog post has been helpful in guiding you through the process of creating and applying custom audit log policies in OpenShift. If you have any questions or would like to learn more about related topics, feel free to reach out or follow me on my social media channels:

  • Connect with me on LinkedIn

  • Follow me on Twitter

Stay tuned for more insightful articles on Kubernetes, OpenShift, containerization technologies, Automation and DevOps. Happy auditing!

28 views0 comments

Comments


bottom of page