Added information about logging login failures #8694
Conversation
openshift-ci-robot
added
the
size/XS
| @@ -1284,6 +1290,8 @@ that group. | |||
| <5> A list of groups the rule applies to. An empty list implies every group. | |||
| <6> A list of non-resources URLs the rule applies to. | |||
| <7> A list of namespaces the rule applies to. An empty list implies every namespace. | |||
| <8> Value used by the web console. | |||
ahardin-rh
force-pushed
the
audit-policy-config
branch
from
0063795 to
afe948e
Compare
ahardin-rh
added
the
peer-review-needed
|
Moving this to QE review. @openshift/team-documentation Please also peer review. Thanks! |
| @@ -1261,6 +1261,12 @@ rules: | |||
|
|
|||
| # A catch-all rule to log all other requests at the Metadata level. | |||
| - level: Metadata <1> | |||
|
|
|||
| # Log login failures from the web console or CLI. Turn on the audit, then create policy based on the requested data. | |||
There was a problem hiding this comment.
If both methods are required or encouraged, it should be "webconsole and CLI"
"Turn on the audit, then create policy based on the requested data." doesn't fit here. I might change it to a note to review the logs and refine your policies, as required, around line 1187.
There was a problem hiding this comment.
or is because you can log either, each rule applies to a different element. Let's be explicit about it.
| @@ -1284,6 +1290,8 @@ that group. | |||
| <5> A list of groups the rule applies to. An empty list implies every group. | |||
| <6> A list of non-resources URLs the rule applies to. | |||
| <7> A list of namespaces the rule applies to. An empty list implies every namespace. | |||
| <8> Endpoint used by the web console. | |||
There was a problem hiding this comment.
Is this enough information for a user to construct the endpoints?
There was a problem hiding this comment.
Not sure, what else we can add here. It's basically an information that this endpoint is where the logging from web console are going through.
|
@kalexand-rh Thanks for your comments. @soltysh Thoughts on that feedback? |
kalexand-rh
added
peer-review-done
ahardin-rh
changed the title
ahardin-rh
force-pushed
the
audit-policy-config
branch
from
afe948e to
af7afa0
Compare
|
QE verified in the BZ |
|
/cherrypick enterprise-3.10 |
|
/cherrypick enterprise-3.9 |
|
@ahardin-rh: new pull request created: #9215 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@ahardin-rh: new pull request created: #9216 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherrypick enterprise-3.7 |
https://bugzilla.redhat.com/show_bug.cgi?id=1545116
@soltysh Does this adequately capture what you suggest in the BZ discussion? PTAL. Thanks!