Update OVN-K config for Audit logging

API changes For [SDN-1364](https://issues.redhat.com/browse/SDN-1364) See [Enhancement](openshift/enhancements#617) for details on the changes Signed-off-by: Andrew Stoycos <[email protected]>
astoycos · Mar 17, 2021 · 4040b34 · 4040b34
1 parent f67d7a6
commit 4040b34
Show file tree

Hide file tree

Showing 4 changed files with 110 additions and 0 deletions.
diff --git a/operator/v1/0000_70_cluster-network-operator_01_crd.yaml b/operator/v1/0000_70_cluster-network-operator_01_crd.yaml
@@ -331,6 +331,40 @@ spec:
                         type: integer
                         format: int32
                         minimum: 0
+                      policyAuditConfig:
+                        description: PolicyAuditConfig is the configuration for network
+                          policy audit events. If unset, reported defaults are used.
+                        type: object
+                        properties:
+                          destination:
+                            description: 'Messages are output in syslog format. Destination
+                              is the destination for policy log messages. Regardless
+                              of this config logs will always be dumped to ovn at
+                              /var/log/ovn/ however you may also configure additional
+                              output as follows. Messages are output in syslog format.
+                              Valid values are: - "libc" -> to use the libc syslog()
+                              function of the host node''s journdald process - "udp:host:port"
+                              -> for sending syslog over UDP - "unix:file" -> for
+                              using the UNIX domain socket directly - "null" -> to
+                              discard all messages logged to syslog The default is
+                              "null"'
+                            type: string
+                          maxFileSize:
+                            description: MaxFilesSize is the max size an ACL_audit
+                              log file is allowed to reach before rotation occurs
+                              Default is 50MB
+                            type: integer
+                            format: int32
+                          rateLimit:
+                            description: RateLimit is the approximate maximum number
+                              of messages to generate per-second per-node. If unset
+                              the default of 20 msg/sec is used.
+                            type: integer
+                            format: int32
+                          syslogFacility:
+                            description: SyslogFacility the RFC5424 facility for generated
+                              messages, e.g. "kern". Default is "local0"
+                            type: string
                   type:
                     description: type is the type of network All NetworkTypes are
                       supported except for NetworkTypeRaw

diff --git a/operator/v1/types_network.go b/operator/v1/types_network.go
@@ -342,6 +342,10 @@ type OVNKubernetesConfig struct {
 	// cluster.
 	// +optional
 	IPsecConfig *IPsecConfig `json:"ipsecConfig,omitempty"`
+	// PolicyAuditConfig is the configuration for network policy audit events. If unset,
+	// reported defaults are used.
+	// +optional
+	PolicyAuditConfig *PolicyAuditConfig `json:"policyAuditConfig,omitempty"`
 }
 
 type HybridOverlayConfig struct {
@@ -390,6 +394,35 @@ type IPFIXConfig struct {
 // +kubebuilder:validation:Pattern=`^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):[0-9]+$`
 type IPPort string
 
+type PolicyAuditConfig struct {
+	// RateLimit is the approximate maximum number of messages to generate per-second per-node. If
+	// unset the default of 20 msg/sec is used.
+	// +optional
+	RateLimit *uint32 `json:"rateLimit,omitempty"`
+
+	// MaxFilesSize is the max size an ACL_audit log file is allowed to reach before rotation occurs
+	// Default is 50MB
+	// +optional
+	MaxFileSize *uint32 `json:"maxFileSize,omitempty"`
+
+	// Messages are output in syslog format. Destination is the destination for policy log messages.
+	// Regardless of this config logs will always be dumped to ovn at /var/log/ovn/ however
+	// you may also configure additional output as follows.
+	// Messages are output in syslog format.
+	// Valid values are:
+	// - "libc" -> to use the libc syslog() function of the host node's journdald process
+	// - "udp:host:port" -> for sending syslog over UDP
+	// - "unix:file" -> for using the UNIX domain socket directly
+	// - "null" -> to discard all messages logged to syslog
+	// The default is "null"
+	// +optional
+	Destination string `json:"destination,omitempty"`
+
+	// SyslogFacility the RFC5424 facility for generated messages, e.g. "kern". Default is "local0"
+	// +optional
+	SyslogFacility string `json:"syslogFacility,omitempty"`
+}
+
 // NetworkType describes the network plugin type to configure
 type NetworkType string
 

diff --git a/operator/v1/zz_generated.deepcopy.go b/operator/v1/zz_generated.deepcopy.go
diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go