- What is the nature and description of the request?
Support auditing of the effect of network policies on OpenShift. Logging all the passed and forbidden requests by a NetworkPolicy object.
- Why does the customer need this? (List the business requirements here)
The business requirement/justification for this feature is to enable OpenShift environments to host "multitenant/network zone" workload, where network activity on firewalling implemented by OpenShift policies are audit logged in a similar fashion to what would be expected from a full statefull firewall. This type of auditing is to support use-cases from an audit-log-monitoring solution to look for patterns of suspicious behavior on both Allow and Deny of the network policies. Audit log could support sample rates on network traffic to keep audit amounts down to a manageable level.
Such audit logs would support compliance of security policies with customer where activity on firewall needs to be inspected at runtime to monitor network traffic for suspicious behavior (Intrusion Detection Support).
- How would the customer like to achieve this? (List the functional requirements here)
Output audit log events similar to the Masters API with source/target IP/POD/namespace/container/PolicyRule of Allow and Deny types of network traffic. Log target and audit levels could be similarly configured to how the Basic Audit and Advanced Audit of OpenShift is working (https://docs.openshift.com/container-platform/3.10/install_config/master_node_configuration.html#master-node-config-audit-config).
- Would the customer be able to assist in testing this functionality if implemented?
Yes they can participate in the test activities of the feature, though requiring features to be somewhat stable and not seriously endanger use of features in shared OpenShift Test environments at customer.
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers. Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.
This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed.
If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new
Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new
As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.
OCP 3.6-3.10 is no longer on full support . Marking un-triaged bugs CLOSED DEFERRED. If you have a customer case with a support exception or have reproduced on 3.11+, please reopen and include those details. When reopening, please set the Version to the appropriate version where reproduced.