From 0c924ab5c50e3522d5e35dea014aeb2573eeb384 Mon Sep 17 00:00:00 2001 From: "belokobylskii.i" Date: Thu, 10 Oct 2024 10:56:46 +0300 Subject: [PATCH 1/2] feat: add audit logs parameters to kubernetes options --- pkg/v1/cluster/requests_opts.go | 4 +- pkg/v1/cluster/schemas.go | 23 +++- pkg/v1/cluster/testing/fixtures.go | 210 +++++++++++++++++++++++++---- 3 files changed, 210 insertions(+), 27 deletions(-) diff --git a/pkg/v1/cluster/requests_opts.go b/pkg/v1/cluster/requests_opts.go index 73b4820..4fa1b46 100644 --- a/pkg/v1/cluster/requests_opts.go +++ b/pkg/v1/cluster/requests_opts.go @@ -48,7 +48,7 @@ type CreateOpts struct { Zonal *bool `json:"zonal,omitempty"` // KubernetesOptions represents additional k8s options such as pod security policy, - // feature gates (Alpha stage only) and admission controllers. + // feature gates (Alpha stage only), admission controllers and audit logs. KubernetesOptions *KubernetesOptions `json:"kubernetes_options,omitempty"` // PrivateKubeAPI specifies if kube API should be available from the Internet or not. @@ -71,6 +71,6 @@ type UpdateOpts struct { EnablePatchVersionAutoUpgrade *bool `json:"enable_patch_version_auto_upgrade,omitempty"` // KubernetesOptions represents additional k8s options such as pod security policy, - // feature gates (Alpha stage only) and admission controllers. + // feature gates (Alpha stage only), admission controllers and audit logs. KubernetesOptions *KubernetesOptions `json:"kubernetes_options,omitempty"` } diff --git a/pkg/v1/cluster/schemas.go b/pkg/v1/cluster/schemas.go index 32d0aa7..650ab7d 100644 --- a/pkg/v1/cluster/schemas.go +++ b/pkg/v1/cluster/schemas.go @@ -123,7 +123,7 @@ type View struct { Zonal bool `json:"zonal"` // KubernetesOptions represents additional k8s options such as pod security policy, - // feature gates (Alpha stage only) and admission controllers. + // feature gates (Alpha stage only), admission controllers and audit logs. KubernetesOptions *KubernetesOptions `json:"kubernetes_options,omitempty"` PrivateKubeAPI bool `json:"private_kube_api"` @@ -152,7 +152,7 @@ func (result *View) UnmarshalJSON(b []byte) error { } // KubernetesOptions represents additional k8s options such as pod security policy, -// feature gates (Alpha stage only) and admission controllers. +// feature gates (Alpha stage only), admission controllers and audit logs. type KubernetesOptions struct { // EnablePodSecurityPolicy indicates if PodSecurityPolicy admission controller // must be turned on/off. @@ -163,6 +163,25 @@ type KubernetesOptions struct { // AdmissionControllers represents admission controllers that should be enabled. AdmissionControllers []string `json:"admission_controllers"` + + // AuditLogs represents configuration of kubernetes audit logs in the cluster. + // More: https://docs.selectel.ru/en/cloud/managed-kubernetes/clusters/logs/#configure-integration-with-external-system + AuditLogs AuditLogs `json:"audit_logs"` +} + +type AuditLogs struct { + // Enabled indicates whether kubernetes audit logs should be collected + // and pushed into SIEM system (e.g. logstash). + // False by default. + Enabled bool `json:"enabled"` + + // SecretName contains name of the kubernetes secret in namespace kube-system + // with credentials of SIEM system where logs should be pushed. + // Fields of the secret: host, port, username (optional), password (optional), ca.crt (optional). + // This field is optional. By default, used "mks-audit-logs". + // Secret name should be as a DNS subdomain name as defined in RFC 1123. + // More: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names + SecretName string `json:"secret_name"` } // KubeconfigFields is a struct that contains Kubeconfigs parsed fields and raw kubeconfig. diff --git a/pkg/v1/cluster/testing/fixtures.go b/pkg/v1/cluster/testing/fixtures.go index 0d57ef9..01f34c1 100644 --- a/pkg/v1/cluster/testing/fixtures.go +++ b/pkg/v1/cluster/testing/fixtures.go @@ -36,11 +36,15 @@ const testGetClusterResponseRaw = ` "feature_gates": [ "TTLAfterFinished", "CSIMigrationOpenStack" - ], + ], "admission_controllers": [ "NamespaceLifecycle", "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } } } @@ -78,6 +82,10 @@ var expectedGetClusterResponse = &cluster.View{ "NamespaceLifecycle", "LimitRanger", }, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, } @@ -109,11 +117,15 @@ const testGetZonalClusterResponseRaw = ` "feature_gates": [ "TTLAfterFinished", "CSIMigrationOpenStack" - ], + ], "admission_controllers": [ "NamespaceLifecycle", "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } } } @@ -149,6 +161,10 @@ var expectedGetZonalClusterResponse = &cluster.View{ "NamespaceLifecycle", "LimitRanger", }, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, } @@ -179,7 +195,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -205,7 +225,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -231,7 +255,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -257,7 +285,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -283,7 +315,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -309,7 +345,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -335,7 +375,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -361,7 +405,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -387,7 +435,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -413,7 +465,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -439,7 +495,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -465,7 +525,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -491,7 +555,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -517,7 +585,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -543,7 +615,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } }, { @@ -569,7 +645,11 @@ const testListClustersResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } } ] @@ -602,6 +682,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -628,6 +712,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -654,6 +742,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -680,6 +772,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -706,6 +802,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -732,6 +832,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -758,6 +862,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -784,6 +892,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -810,6 +922,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -836,6 +952,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -862,6 +982,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -888,6 +1012,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -914,6 +1042,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -940,6 +1072,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -966,6 +1102,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, { @@ -992,6 +1132,10 @@ var expectedListClustersResponse = []*cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, }, } @@ -1031,7 +1175,11 @@ const testCreateClusterOptsRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } } } @@ -1067,6 +1215,10 @@ var testCreateClusterOpts = &cluster.CreateOpts{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, } @@ -1101,7 +1253,11 @@ const testCreateClusterResponseRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": true, + "secret_name": "mks-audit-logs" + } } } } @@ -1132,6 +1288,10 @@ var expectedCreateClusterResponse = &cluster.View{ EnablePodSecurityPolicy: false, FeatureGates: []string{"CSIMigrationOpenStack"}, AdmissionControllers: []string{"LimitRanger"}, + AuditLogs: cluster.AuditLogs{ + Enabled: true, + SecretName: "mks-audit-logs", + }, }, PrivateKubeAPI: false, } @@ -1658,7 +1818,11 @@ const testUpdateClusterWithEnabledPSPOptsRaw = ` ], "admission_controllers": [ "LimitRanger" - ] + ], + "audit_logs": { + "enabled": false, + "secret_name": "" + } } } } From 981c49169c228e3d8f33d9126cdfc4e997bfc47e Mon Sep 17 00:00:00 2001 From: "belokobylskii.i" Date: Tue, 15 Oct 2024 12:16:48 +0300 Subject: [PATCH 2/2] docs: remove stage of feature gates --- pkg/v1/cluster/requests_opts.go | 4 ++-- pkg/v1/cluster/schemas.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/v1/cluster/requests_opts.go b/pkg/v1/cluster/requests_opts.go index 4fa1b46..e80b149 100644 --- a/pkg/v1/cluster/requests_opts.go +++ b/pkg/v1/cluster/requests_opts.go @@ -48,7 +48,7 @@ type CreateOpts struct { Zonal *bool `json:"zonal,omitempty"` // KubernetesOptions represents additional k8s options such as pod security policy, - // feature gates (Alpha stage only), admission controllers and audit logs. + // feature gates, admission controllers and audit logs. KubernetesOptions *KubernetesOptions `json:"kubernetes_options,omitempty"` // PrivateKubeAPI specifies if kube API should be available from the Internet or not. @@ -71,6 +71,6 @@ type UpdateOpts struct { EnablePatchVersionAutoUpgrade *bool `json:"enable_patch_version_auto_upgrade,omitempty"` // KubernetesOptions represents additional k8s options such as pod security policy, - // feature gates (Alpha stage only), admission controllers and audit logs. + // feature gates, admission controllers and audit logs. KubernetesOptions *KubernetesOptions `json:"kubernetes_options,omitempty"` } diff --git a/pkg/v1/cluster/schemas.go b/pkg/v1/cluster/schemas.go index 650ab7d..0e72727 100644 --- a/pkg/v1/cluster/schemas.go +++ b/pkg/v1/cluster/schemas.go @@ -123,7 +123,7 @@ type View struct { Zonal bool `json:"zonal"` // KubernetesOptions represents additional k8s options such as pod security policy, - // feature gates (Alpha stage only), admission controllers and audit logs. + // feature gates, admission controllers and audit logs. KubernetesOptions *KubernetesOptions `json:"kubernetes_options,omitempty"` PrivateKubeAPI bool `json:"private_kube_api"` @@ -152,7 +152,7 @@ func (result *View) UnmarshalJSON(b []byte) error { } // KubernetesOptions represents additional k8s options such as pod security policy, -// feature gates (Alpha stage only), admission controllers and audit logs. +// feature gates, admission controllers and audit logs. type KubernetesOptions struct { // EnablePodSecurityPolicy indicates if PodSecurityPolicy admission controller // must be turned on/off.