Bug 1660596

- What is the nature and description of the request?

Support auditing of the effect of network policies on OpenShift. Logging all the passed and forbidden requests by a NetworkPolicy object.

- Why does the customer need this? (List the business requirements here)

The business requirement/justification for this feature is to enable OpenShift environments to host "multitenant/network zone" workload, where network activity on firewalling implemented by OpenShift policies are audit logged in a similar fashion to what would be expected from a full statefull firewall. This type of auditing is to support use-cases from an audit-log-monitoring solution to look for patterns of suspicious behavior on both Allow and Deny of the network policies. Audit log could support sample rates on network traffic to keep audit amounts down to a  manageable level.

Such audit logs would support compliance of security policies with customer where activity on firewall needs to be inspected at runtime to monitor network traffic for suspicious behavior (Intrusion Detection Support). 

- How would the customer like to achieve this? (List the functional requirements here)

Output audit log events similar to the Masters API with source/target IP/POD/namespace/container/PolicyRule of Allow and Deny types of network traffic. Log target and audit levels could be similarly configured to how the Basic Audit and Advanced Audit of OpenShift is working (https://docs.openshift.com/container-platform/3.10/install_config/master_node_configuration.html#master-node-config-audit-config).


- Would the customer be able to assist in testing this functionality if implemented?

Yes they can participate in the test activities of the feature, though requiring features to be somewhat stable and not seriously endanger use of features in shared OpenShift Test environments at customer.