Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Promote AdvancedAuditing to GA #65862

Merged
merged 1 commit into from
Aug 30, 2018

Conversation

loburm
Copy link
Contributor

@loburm loburm commented Jul 5, 2018

What this PR does / why we need it:
Removes deprecated legacy code used for basic audit logging in favor of advanced audit logging.

Promote AdvancedAuditing to GA, replacing the previous (legacy) audit logging mechanisms.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jul 5, 2018
@k8s-ci-robot k8s-ci-robot requested review from bowei and deads2k July 5, 2018 13:19
@loburm
Copy link
Contributor Author

loburm commented Jul 5, 2018

/assign @timstclair @sttts @CaoShuFeng

Also I'm not completely sure about audit format of log file. Currently we have legacy and json. I suppose that legacy should be removed, together with this option, but I haven't managed to find any information related to this.

@loburm loburm changed the title Remove basic audit logging code [WIP] Remove basic audit logging code Jul 5, 2018
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 5, 2018
@@ -266,11 +264,6 @@ func (o *AuditOptions) ApplyTo(c *server.Config) error {
return nil
}

// Apply legacy audit options if advanced audit is not enabled.
if !advancedAuditingEnabled() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the whole gate should be removed as well

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@sttts
Copy link
Contributor

sttts commented Jul 5, 2018

Also I'm not completely sure about audit format of log file. Currently we have legacy and json. I suppose that legacy should be removed, together with this option, but I haven't managed to find any information related to this.

Have we deprecated it properly in former releases?

@loburm loburm force-pushed the remove_basic_audit branch from 4501207 to d12130a Compare July 6, 2018 07:42
@sttts
Copy link
Contributor

sttts commented Jul 6, 2018

This is the flag description:

--audit-log-format string                                 Format of saved audits. "legacy" indicates 1-line text format for each event. "json" indicates structured json format. Requires the 'AdvancedAuditing' feature gate. Known formats are legacy,json. (default "json")

I don't see that "legacy" was deprecated. So I don't think we can immediately remove it.

/hold

/cc @lavalamp @deads2k

@k8s-ci-robot k8s-ci-robot requested a review from lavalamp July 6, 2018 07:43
@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 6, 2018
@loburm
Copy link
Contributor Author

loburm commented Jul 6, 2018

@sttts that is correct. Also we haven't specified it in any release notes, which means that we need to support this flag for few more releases.

@loburm
Copy link
Contributor Author

loburm commented Jul 6, 2018

/test pull-kubernetes-verify
/test pull-kubernetes-e2e-kops-aws

@loburm loburm changed the title [WIP] Remove basic audit logging code Remove basic audit logging code Jul 6, 2018
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 6, 2018
@loburm
Copy link
Contributor Author

loburm commented Jul 6, 2018

/test pull-kubernetes-e2e-kops-aws
/test pull-kubernetes-verify

@loburm
Copy link
Contributor Author

loburm commented Jul 9, 2018

/test pull-kubernetes-local-e2e
/test pull-kubernetes-e2e-kops-aws
/test pull-kubernetes-verify

@loburm
Copy link
Contributor Author

loburm commented Jul 10, 2018

@sttts is there any reason to hold this PR? I propose to deprecate --audit-log-format in the next PR. And then after two releases (1.14 I assume) we will be able to remove it.

@soltysh you may also be interested in reviewing it.

@CaoShuFeng
Copy link
Contributor

CaoShuFeng commented Jul 10, 2018

Why --audit-log-format is bad?

@loburm
Copy link
Contributor Author

loburm commented Jul 10, 2018

@CaoShuFeng it's not bad, but currently it can handle two values: legacy and json. legacy is supposed to be removed with basic auditing, unless you see any reasons to leave it?

@CaoShuFeng
Copy link
Contributor

I think --audit-log-format is part of advanced audit feature, not legacy audit feature.

@CaoShuFeng
Copy link
Contributor

legacy is supposed to be removed with basic auditing

When --audit-log-format is set to legacy, we are still using advanced audit feature, I think.

@sttts
Copy link
Contributor

sttts commented Jul 10, 2018

is there any reason to hold this PR? I propose to deprecate --audit-log-format in the next PR. And then after two releases (1.14 I assume) we will be able to remove it.

@loburm not sure I can follow. It's hold because we cannot merge it before the deprecation time is over.

@loburm
Copy link
Contributor Author

loburm commented Jul 10, 2018

@sttts to which deprecation time are you referring here? Basic audit logging was deprecated in 1.8 and we can remove it now. --audit-log-format flag and both values haven't been deprecated and I'm not removing them in this PR.

@loburm
Copy link
Contributor Author

loburm commented Aug 23, 2018

@timstclair I have squashed and rebased.

One job is failing but according to dashboard it fails for all PRs.

@tallclair
Copy link
Member

Thanks.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 23, 2018
@tallclair tallclair changed the title Remove basic audit logging code Promote AdvancedAuditing to GA Aug 23, 2018
@dims
Copy link
Member

dims commented Aug 27, 2018

/test pull-kubernetes-e2e-gke

@tallclair, folks, we need this for 1.12 right?

/milestone v1.12

@k8s-ci-robot k8s-ci-robot added this to the v1.12 milestone Aug 27, 2018
@loburm
Copy link
Contributor Author

loburm commented Aug 29, 2018

/retest

1 similar comment
@loburm
Copy link
Contributor Author

loburm commented Aug 29, 2018

/retest

@CaoShuFeng
Copy link
Contributor

This needs one approver from cluster/gce/OWNERS

@loburm
Copy link
Contributor Author

loburm commented Aug 30, 2018

/assign @MaciekPytel

@loburm
Copy link
Contributor Author

loburm commented Aug 30, 2018

/retest

@MaciekPytel
Copy link
Contributor

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: loburm, MaciekPytel, sttts, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 30, 2018
@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.

@k8s-github-robot k8s-github-robot merged commit 58ead1c into kubernetes:master Aug 30, 2018
tengqm added a commit to tengqm/website that referenced this pull request Aug 31, 2018
xref: kubernetes/kubernetes#65862

`AdvancedAuditing` feature is GA in 1.12. This PR adjusts the related
docs.
CaoShuFeng added a commit to CaoShuFeng/kubernetes.github.io that referenced this pull request Sep 3, 2018
CaoShuFeng added a commit to CaoShuFeng/kubernetes.github.io that referenced this pull request Sep 6, 2018
@sttts
Copy link
Contributor

sttts commented Sep 10, 2018

Did we forget to remove the legacy format constant?

Looks like it is still there:

return fmt.Sprintf("%s AUDIT: id=%q stage=%q ip=%q method=%q user=%q groups=%q as=%q asgroups=%q namespace=%q uri=%q response=\"%s\"",

k8s-ci-robot pushed a commit to kubernetes/website that referenced this pull request Sep 12, 2018
* audit 1.12 document

* remove legacy audit feature

kubernetes/kubernetes#65862

* update feature gate doc
@loburm
Copy link
Contributor Author

loburm commented Sep 12, 2018

Maybe I have misunderstood, but I thought that we don't want to remove this option because we haven't mentioned anywhere that it's going to be disabled (not documentation not in release notes). This option works with AdvancedAudit logging.

What I think we should do is to mark this option as deprecated in release notes and then remove after two cycles.

@tallclair
Copy link
Member

Yeah, legacy format can still be requested with advanced auditing. It doesn't seem worth deprecating to me.

k8s-ci-robot pushed a commit to kubernetes/website that referenced this pull request Sep 19, 2018
xref: kubernetes/kubernetes#65862

`AdvancedAuditing` feature is GA in 1.12. This PR adjusts the related
docs.
@@ -406,7 +406,7 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS
// inherited features from generic apiserver, relisted here to get a conflict if it is changed
// unintentionally on either side:
genericfeatures.StreamingProxyRedirects: {Default: true, PreRelease: utilfeature.Beta},
genericfeatures.AdvancedAuditing: {Default: true, PreRelease: utilfeature.Beta},
genericfeatures.AdvancedAuditing: {Default: true, PreRelease: utilfeature.GA},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@loburm I think now based on kubernetes/website#10294 we should drop that feature gate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct me if I'm wrong, but from my understanding now it's in GA and feature gate should be just deprecated (it's already no-op), and then after 6 months (2 releases) we can remove it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, was it deprecated in that case? At least mention that in the release notes and update docs. Although I think usually we should print the deprecation warning, I think it's worth adding to 1.12.1.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I have missed this. Shall we deprecate it in 1.12.2 (not sure that policy allows us to do it in patch releases)? I would prefer to leave it for 1.13. WDYT?

k8s-ci-robot pushed a commit to kubernetes/website that referenced this pull request Sep 27, 2018
* Update docs for fields allowed at root of CRD schema (#9973)

* add plugin docs and examples (#10053)

* docs update to promote TaintNodesByCondition to beta (#9626)

* HPA Specificity Improvements (#8757)

Updated the HPA docs to reference the `autoscaling/v2beta2` API version,
and added documentation about the new fields.

* adjust docs for pod ready++ (#10049)

* Remove --cadvisor-port - has been deprecated since v1.10 (#10023)

Change-Id: Id2a685473a243aef492a98ff450759f39e362557

* Add Documentation for Snapshot Feature (#9948)

* Add documentation for snapshot feature

* Update volume-snapshots.md

* Add dry-run to api-concepts (#10033)

* kubeadm-init: Update the offline support section (#10062)

The update includes the following things (in mind with Kubernetes 1.12):

- Remove the 1.8 image versions
- Add the 1.10 image versions that were missing until now
- Include a comment for the missing arch suffixes in 1.12

Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>

* Say bye to `DynamicProvisioningScheduling` (#10157)

The mentioned feature gate is now collapsed into `VolumeScheduling`.

xref: kubernetes/kubernetes#67432

* Update ResourceQuota per PriorityClass state for 1.12 (#10229)

* TokenRequest and TokenRequestProjection now beta (#10161)

xref: kubernetes/kubernetes#67349

* Change feature state for kms provider to beta. (#10230)

KMS Provider will be graduating to beta in v1.12, reflecting this change on the website.

* coredns default (#10200)

* Promote ShareProcessNamespace to beta in docs (#9996)

* Add CoreDNS details to DNS Debug docs (#10201)

* add coredns details

* address nits, add query logging section

* Update docs with topology aware dynamic provisioning (#9939)

* Document topology aware volume binding feature

* update for readability

* Update storage-classes.md

* comma splice

* don't abbreviate

* HPA Algorithm Information Improvements (#9780)

* Update HPA docs with more algorithm details

The HPA docs pointed to an out-of-date document for information on the
algorithm details, which users were finding confusing.  This sticks a
section on the algorithm in the HPA docs instead, documenting both
general behavior and corner cases.

* Add glossary info, HPA docs on quantities

People often ask about the quantity notation when working with the
metrics APIs, so this adds a glossary entry on quantities (since they're
used elsewhere in the system), and a short explantation in the HPA walkthough.

* Information about HPA readiness and stabilization

This adds information about the new changes to HPA readiness and
stabilization from kubernetes/enhancements#591, and other minor changes that
landed in Kubernetes 1.12.

* Update horizontal-pod-autoscale.md

* Audit 1.12 doc (#9953)

* audit 1.12 document

* remove legacy audit feature

kubernetes/kubernetes#65862

* update feature gate doc

* MountPropagation is now GA (#10090)

* RuntimeClass documentation (#10102)

* RuntimeClass documentation

* Update runtime-class.md

* Add documentation for Scheduler performance tuning (#10048)

* Add documentation for Scheduler performance tuning

* Update scheduler-perf-tuning.md

* TTL controller for cleaning up finished resources (#10064)

* TTL controller for cleaning up finished resources

* Address comments

* Update ttlafterfinished.md

* Bump quota configuration api version (#10217)

* Incremental update from master (#10278)

* fix invalid href of cloud controller manager (#10240)

* fix invalid yaml format (#10238)

* update storage-limits doc with Azure disk part (#10224)

update storage-limits doc with Azure disk part

fix comments

* Update kubelet-config-file.md (#10222)

Update link to KubeletConfiguration struct.

* fix a trivial misspelling (#10244)

* Fix cassandra-statefulset.yaml indent level (#10243)

* Mention minimum etcd versions (#10208)

Source: https://groups.google.com/d/msg/kubernetes-dev/jMPA4JzKiY4/HIx2ugvLBAAJ

* fix 404 error (#10250)

* Small verb tweak (#10190)

Present participle, ftw.

* Add AnchorJS logic for header links (#10155)

* Add AnchorJS JavaScript

* Remove existing inpage_heading logic

* Remove underline from anchor tags

* Use single icon and add touch visibility

* Use paragraph link icon for AnchorJS

* Update Sass to use code formatting in docsContent headers

* Update header size coverage to H3-H6

* fix broken link in kubefed.md (#10254)

* Update the version numbers for the X-Remote-Extra- and Impersonate-Extra- key fixes (#9827)

The fix was cherry picked into 1.11.3, 1.10.7, and 1.9.11:

kubernetes/kubernetes#67162
kubernetes/kubernetes#67163
kubernetes/kubernetes#67164

* fix typo (#10168)

* fix typo

* addressing comments.

* Update setup-ha-etcd-with-kubeadm.md

* fix typos (#10252)

* fix description of contribute guide (#10253)

* describe truncate feature about advanced audit (#10236)

* describe truncate feature about advanced audit

* Update audit.md

* docs update to promote ScheduleDaemonSetPods to beta (#9923)

* Dynamic volume limit updates for 1.12 (#10211)

* add a placeholder commit

* Update docs for csi volume limits

* Update storage-limits.md

* Add "MayRunAs" value among other GroupStrategies (#9888)

* Add CoreDNS details to the customize DNS doc (#10228)

* Add CoreDNS details to the customize DNS doc

Rewrite the document to include more details about CoreDNS, since it's now the default from v1.12

* Address comments

* Improve doc wording

* Fix link

* Update dns-custom-nameservers.md

* Update dns-custom-nameservers.md

* Fix secrets docs in 1.12 branch (#10056)

* Fix secrets docs

* Update secret.md

* Revert CoreDNS Docs (#10319)

* Revert "Add CoreDNS details to DNS Debug docs (#10201)"

This reverts commit 462817a.

* Revert "Add CoreDNS details to the customize DNS doc (#10228)"

This reverts commit e7319ee.

* Revert "coredns default (#10200)"

This reverts commit 698e93b.

* Add CRI installation instructions page

Added cri-installation page with CRI installation instructions
Referenced it from kubeadm-init and install-kubeadm pages.

* kubeadm: update API types documentation for 1.12 (#10283)

v1alpha2 -> v1alpha3
MasterConfiguration -> [new-api-types]

* TokenRequest feature documentation (#10295)

* AdvancedAuditing is now GA (#10156)

xref: kubernetes/kubernetes#65862

`AdvancedAuditing` feature is GA in 1.12. This PR adjusts the related
docs.

* update runtime-class.md (#10332)

* update runtime-class.md

* Update runtime-class.md

* Document cross-authorizer permissions for creating RBAC roles (#10015)

* Document cross-authorizer permissions for creating RBAC roles

* Update rbac.md

* kubeadm: update authored content for 1.12 (reference docs and cluster creation) (#10348)

* kubeadm: update authored content in reference docs for 1.12

* kubeadm: add time frame in create-cluster-kubeadm for 1.12

* add AllowedProcMountTypes and ProcMountType to docs (#9911)

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>

* kubeadm: add new command line reference (#10306)

Add:
- placeholder files
- include place holder files
- include "renew" sub command
- add missing tabs for "alpha phase kubelet"

* Documenting SCTP support in Kubernetes (#10279)

* Documenting SCTP support in Kubernetes Service, Endpoint, NetworkPolicy and Pod

* Updates based on comments on the PR

* kubectl expose update with SCTP support

* Updated according to comments in the PR

* Revert "kubectl expose update with SCTP support"

This reverts commit 0d5a1e6.

* TLS Bootstrap and Server Cert Rotation feature documentation (#10232)

* TokenRequest feature documentation

* line wrapping to make review not insane

* update content for GA without major refactor

* Update kubelet-tls-bootstrapping.md

* Add clarifications for volume snapshots (#10296)

* Update kubadm ha installation for 1.12 (#10264)

* Update kubadm ha installation for 1.12

Signed-off-by: Chuck Ha <ha.chuck@gmail.com>

* update stable version

Signed-off-by: Chuck Ha <ha.chuck@gmail.com>

* Update stacked control plane for v1.12 (#2)

* use v1alpha3

Signed-off-by: Chuck Ha <ha.chuck@gmail.com>

* more v1alpha3 (#4)

* updates

Signed-off-by: Chuck Ha <ha.chuck@gmail.com>

* Document how to run in-tree cloud providers with kubeadm (#10357)

Change-Id: Iab6b996a830503d74a6eb0c507c5f8ca7a39235b

* kubeadm reference doc for release 1.12 (#10359)

* Revert "Revert "Add CoreDNS details to DNS Debug docs (#10201)""

This reverts commit bb30f4d.

* Revert "Revert "Add CoreDNS details to the customize DNS doc (#10228)""

This reverts commit bc23d45.

* Revert "Revert "coredns default (#10200)""

This reverts commit 7f4350d.

* add missing instruction for ha guide (#10374)

Signed-off-by: Chuck Ha <ha.chuck@gmail.com>

* kubeadm - Ha upgrade updates (#10340)

* Update HA upgrade docs

* Adds external etcd HA upgrade guide

Signed-off-by: Chuck Ha <ha.chuck@gmail.com>

* copyedit

* more edits

* add runasgroup in psp (#10076)

* update KubeletPluginsWatcher feature gate (#10205)

* generated 1.12 docs

* Building Multi-arch images with Manifests (#10379)

In 1.12, a variety of images used in a typical kubernetes installation
have started to using manifests to better support environments with arm
or ppc64le architectures. For example all images used with kubeadm by
default have manifests, another would be all the tests in the
conformance test suite. Here we capture the best practices for everyone
to start using manifests in their own workflows.

Change-Id: I5ba4c5fe55ffc9486a8251760f3352be4f2e1494

* Upgrade docs for v1.12 (#10344)

* generated assets and docs

* remove 1.7

* update 1.12

* update plugin documentation under docs>tasks>extend-kubectl (#10259)

* update plugin documentation under docs>tasks>extend-kubectl

* Update kubectl-plugins.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.