Kubernetes Audit log update - added datatype for annotations.pod-security_kubernetes_io/audit-violation #12227
Conversation
|
💚 CLA has been signed |
|
hey @neu7ron2 . Can you sign a CLA ? Also as part of your PR, you should update the manifest.yml and the changelog.yml You can set the version of the kubernetes integration to |
|
HI @MichaelKatsoulis, the CLA has been signed (not sure why it didn't pick it up previously). I've updated the Manifest and changelog. |
|
@tetianakravchenko could you also take a look at this PR ? |
packages/kubernetes/changelog.yml
Outdated
There was a problem hiding this comment.
| - version: 1.68.2 | |
| - version: 1.69.0 |
since it is an enhancement (not a bugfix), it should be 1.69.0
otherwise PR looks good to me, I've also added a doc link regarding well-known annotations https://kubernetes.io/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-audit-violations to description
There was a problem hiding this comment.
I've updated the manifest.yaml and the changelog.yaml to version 1.69.0
|
/test |
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
|
|
|
Package kubernetes - 1.69.0 containing this change is available at https://epr.elastic.co/package/kubernetes/1.69.0/ |
…rity_kubernetes_io/audit-violation (elastic#12227) * Added a table entry for: kubernetes.audit.annotations.pod-security_kubernetes_io/audit-violations Added an table entry for the new kubernetes.audit.annotations.pod-security_kubernetes_io/audit-violations * Added the data type for field pod-security_kubernetes_io/audit-violations Added the data type for field pod-security_kubernetes_io/audit-violations. This is defined in the offical kubernetes documentation here: https://kubernetes.io/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-enforce-policy * Updated version to 1.68.2 * Update changelog.yml * Update packages/kubernetes/manifest.yml Co-authored-by: Tetiana Kravchenko <[email protected]> * Update change number to 1.69.0 * Update version to 1.69.0 --------- Co-authored-by: Tetiana Kravchenko <[email protected]>
…rity_kubernetes_io/audit-violation (elastic#12227) * Added a table entry for: kubernetes.audit.annotations.pod-security_kubernetes_io/audit-violations Added an table entry for the new kubernetes.audit.annotations.pod-security_kubernetes_io/audit-violations * Added the data type for field pod-security_kubernetes_io/audit-violations Added the data type for field pod-security_kubernetes_io/audit-violations. This is defined in the offical kubernetes documentation here: https://kubernetes.io/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-enforce-policy * Updated version to 1.68.2 * Update changelog.yml * Update packages/kubernetes/manifest.yml Co-authored-by: Tetiana Kravchenko <[email protected]> * Update change number to 1.69.0 * Update version to 1.69.0 --------- Co-authored-by: Tetiana Kravchenko <[email protected]>
Proposed commit message
Added the data type for the 'audit-violation' field as type TEXT in the Kubernetes Audit logs ingest mapping. This will allow users to search for and do alerts on this field. In Kubernetes, this field is generated in the audit logs when a user tries to deploy a deployment/pod into a namespace that has security restrictions applied to it. Alerts for this sort of violation are important.
Kubernetes documentation regarding the audit logs annotation
pod-security.kubernetes.io/audit-violations: https://kubernetes.io/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-audit-violationsChecklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Add a Kubernetes Pod Security standard of type audit=restricted to the namespace. Try to deploy a pod or deployment and a new field will be generated in the Kubernetes Audit log file which will be picked up by elastic and ingested with the correct datatype.
Related issues
Screenshots