Bug 1660596 - [RFE] Audit logging of network policy events [NEEDINFO]
Summary: [RFE] Audit logging of network policy events
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Ben Bennett
QA Contact: Xiaoli Tian
Depends On:
TreeView+ depends on / blocked
Reported: 2018-12-18 18:55 UTC by Anshul Verma
Modified: 2019-11-21 12:56 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-11-21 12:56:16 UTC
Target Upstream Version:
agawand: needinfo? (bbennett)
ansverma: needinfo? (bbennett)
ansverma: needinfo? (bbennett)

Attachments (Terms of Use)

Description Anshul Verma 2018-12-18 18:55:31 UTC
- What is the nature and description of the request?

Support auditing of the effect of network policies on OpenShift. Logging all the passed and forbidden requests by a NetworkPolicy object.

- Why does the customer need this? (List the business requirements here)

The business requirement/justification for this feature is to enable OpenShift environments to host "multitenant/network zone" workload, where network activity on firewalling implemented by OpenShift policies are audit logged in a similar fashion to what would be expected from a full statefull firewall. This type of auditing is to support use-cases from an audit-log-monitoring solution to look for patterns of suspicious behavior on both Allow and Deny of the network policies. Audit log could support sample rates on network traffic to keep audit amounts down to a  manageable level.

Such audit logs would support compliance of security policies with customer where activity on firewall needs to be inspected at runtime to monitor network traffic for suspicious behavior (Intrusion Detection Support). 

- How would the customer like to achieve this? (List the functional requirements here)

Output audit log events similar to the Masters API with source/target IP/POD/namespace/container/PolicyRule of Allow and Deny types of network traffic. Log target and audit levels could be similarly configured to how the Basic Audit and Advanced Audit of OpenShift is working (https://docs.openshift.com/container-platform/3.10/install_config/master_node_configuration.html#master-node-config-audit-config).

- Would the customer be able to assist in testing this functionality if implemented?

Yes they can participate in the test activities of the feature, though requiring features to be somewhat stable and not seriously endanger use of features in shared OpenShift Test environments at customer.

Comment 4 Kirsten Newcomer 2019-06-12 10:52:15 UTC
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.

Comment 10 Stephen Cuppett 2019-11-21 12:56:16 UTC
OCP 3.6-3.10 is no longer on full support [1]. Marking un-triaged bugs CLOSED DEFERRED. If you have a customer case with a support exception or have reproduced on 3.11+, please reopen and include those details. When reopening, please set the Version to the appropriate version where reproduced.

[1]: https://access.redhat.com/support/policy/updates/openshift

Note You need to log in before you can comment on or make changes to this bug.