Logs only metadata for read and write requests; does not log request bodies except for OAuth access token requests. This is the default policy.
You can control the amount of information that is logged to the API server audit logs by choosing the audit log policy profile to use.
Audit log profiles define how to log requests that come to the OpenShift API server, the Kubernetes API server, and the OAuth API server.
OpenShift Container Platform provides the following predefined audit policy profiles:
Profile | Description | ||
---|---|---|---|
|
Logs only metadata for read and write requests; does not log request bodies except for OAuth access token requests. This is the default policy. |
||
|
In addition to logging metadata for all requests, logs request bodies for every write request to the API servers ( |
||
|
In addition to logging metadata for all requests, logs request bodies for every read and write request to the API servers ( |
||
|
No requests are logged; even OAuth access token requests and OAuth authorize token requests are not logged. Custom rules are ignored when this profile is set.
|
Sensitive resources, such as Secret
, Route
, and OAuthClient
objects, are never logged past the metadata level.
By default, OpenShift Container Platform uses the Default
audit log profile. You can use another audit policy profile that also logs request bodies, but be aware of the increased resource usage (CPU, memory, and I/O).
You can configure the audit log policy to use when logging requests that come to the API servers.
You have access to the cluster as a user with the cluster-admin
role.
Edit the APIServer
resource:
$ oc edit apiserver cluster
Update the spec.audit.profile
field:
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
...
spec:
audit:
profile: WriteRequestBodies (1)
1 | Set to Default , WriteRequestBodies , AllRequestBodies , or None . The default profile is Default . |
It is not recommended to disable audit logging by using the |
Save the file to apply the changes.
Verify that a new revision of the Kubernetes API server pods is rolled out. It can take several minutes for all nodes to update to the new revision.
$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
Review the NodeInstallerProgressing
status condition for the Kubernetes API server to verify that all nodes are at the latest revision. The output shows AllNodesAtLatestRevision
upon successful update:
AllNodesAtLatestRevision
3 nodes are at revision 12 (1)
1 | In this example, the latest revision number is 12 . |
If the output shows a message similar to one of the following messages, the update is still in progress. Wait a few minutes and try again.
3 nodes are at revision 11; 0 nodes have achieved new revision 12
2 nodes are at revision 11; 1 nodes are at revision 12
You can configure an audit log policy that defines custom rules. You can specify multiple groups and define which profile to use for that group.
These custom rules take precedence over the top-level profile field. The custom rules are evaluated from top to bottom, and the first that matches is applied.
Custom rules are ignored if the top-level profile field is set to |
You have access to the cluster as a user with the cluster-admin
role.
Edit the APIServer
resource:
$ oc edit apiserver cluster
Add the spec.audit.customRules
field:
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
...
spec:
audit:
customRules: (1)
- group: system:authenticated:oauth
profile: WriteRequestBodies
- group: system:authenticated
profile: AllRequestBodies
profile: Default (2)
1 | Add one or more groups and specify the profile to use for that group. These custom rules take precedence over the top-level profile field. The custom rules are evaluated from top to bottom, and the first that matches is applied. |
2 | Set to Default , WriteRequestBodies , or AllRequestBodies . If you do not set this top-level profile field, it defaults to the Default profile. |
Do not set the top-level profile field to |
Save the file to apply the changes.
Verify that a new revision of the Kubernetes API server pods is rolled out. It can take several minutes for all nodes to update to the new revision.
$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
Review the NodeInstallerProgressing
status condition for the Kubernetes API server to verify that all nodes are at the latest revision. The output shows AllNodesAtLatestRevision
upon successful update:
AllNodesAtLatestRevision
3 nodes are at revision 12 (1)
1 | In this example, the latest revision number is 12 . |
If the output shows a message similar to one of the following messages, the update is still in progress. Wait a few minutes and try again.
3 nodes are at revision 11; 0 nodes have achieved new revision 12
2 nodes are at revision 11; 1 nodes are at revision 12
You can disable audit logging for OpenShift Container Platform. When you disable audit logging, even OAuth access token requests and OAuth authorize token requests are not logged.
It is not recommended to disable audit logging by using the |
You have access to the cluster as a user with the cluster-admin
role.
Edit the APIServer
resource:
$ oc edit apiserver cluster
Set the spec.audit.profile
field to None
:
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
...
spec:
audit:
profile: None
You can also disable audit logging only for specific groups by specifying custom rules in the |
Save the file to apply the changes.
Verify that a new revision of the Kubernetes API server pods is rolled out. It can take several minutes for all nodes to update to the new revision.
$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
Review the NodeInstallerProgressing
status condition for the Kubernetes API server to verify that all nodes are at the latest revision. The output shows AllNodesAtLatestRevision
upon successful update:
AllNodesAtLatestRevision
3 nodes are at revision 12 (1)
1 | In this example, the latest revision number is 12 . |
If the output shows a message similar to one of the following messages, the update is still in progress. Wait a few minutes and try again.
3 nodes are at revision 11; 0 nodes have achieved new revision 12
2 nodes are at revision 11; 1 nodes are at revision 12