diff --git a/operator/v1/0000_70_cluster-network-operator_01_crd.yaml b/operator/v1/0000_70_cluster-network-operator_01_crd.yaml index 9cd734620c2..dcf77072096 100644 --- a/operator/v1/0000_70_cluster-network-operator_01_crd.yaml +++ b/operator/v1/0000_70_cluster-network-operator_01_crd.yaml @@ -331,6 +331,40 @@ spec: type: integer format: int32 minimum: 0 + policyAuditConfig: + description: PolicyAuditConfig is the configuration for network + policy audit events. If unset, reported defaults are used. + type: object + properties: + destination: + description: 'Messages are output in syslog format. Destination + is the destination for policy log messages. Regardless + of this config logs will always be dumped to ovn at + /var/log/ovn/ however you may also configure additional + output as follows. Messages are output in syslog format. + Valid values are: - "libc" -> to use the libc syslog() + function of the host node''s journdald process - "udp:host:port" + -> for sending syslog over UDP - "unix:file" -> for + using the UNIX domain socket directly - "null" -> to + discard all messages logged to syslog The default is + "null"' + type: string + maxFileSize: + description: MaxFilesSize is the max size an ACL_audit + log file is allowed to reach before rotation occurs + Default is 50MB + type: integer + format: int32 + rateLimit: + description: RateLimit is the approximate maximum number + of messages to generate per-second per-node. If unset + the default of 20 msg/sec is used. + type: integer + format: int32 + syslogFacility: + description: SyslogFacility the RFC5424 facility for generated + messages, e.g. "kern". Default is "local0" + type: string type: description: type is the type of network All NetworkTypes are supported except for NetworkTypeRaw diff --git a/operator/v1/types_network.go b/operator/v1/types_network.go index 062866cc4b1..9464e5b8224 100644 --- a/operator/v1/types_network.go +++ b/operator/v1/types_network.go @@ -342,6 +342,10 @@ type OVNKubernetesConfig struct { // cluster. // +optional IPsecConfig *IPsecConfig `json:"ipsecConfig,omitempty"` + // PolicyAuditConfig is the configuration for network policy audit events. If unset, + // reported defaults are used. + // +optional + PolicyAuditConfig *PolicyAuditConfig `json:"policyAuditConfig,omitempty"` } type HybridOverlayConfig struct { @@ -390,6 +394,35 @@ type IPFIXConfig struct { // +kubebuilder:validation:Pattern=`^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]):[0-9]+$` type IPPort string +type PolicyAuditConfig struct { + // RateLimit is the approximate maximum number of messages to generate per-second per-node. If + // unset the default of 20 msg/sec is used. + // +optional + RateLimit *uint32 `json:"rateLimit,omitempty"` + + // MaxFilesSize is the max size an ACL_audit log file is allowed to reach before rotation occurs + // Default is 50MB + // +optional + MaxFileSize *uint32 `json:"maxFileSize,omitempty"` + + // Messages are output in syslog format. Destination is the destination for policy log messages. + // Regardless of this config logs will always be dumped to ovn at /var/log/ovn/ however + // you may also configure additional output as follows. + // Messages are output in syslog format. + // Valid values are: + // - "libc" -> to use the libc syslog() function of the host node's journdald process + // - "udp:host:port" -> for sending syslog over UDP + // - "unix:file" -> for using the UNIX domain socket directly + // - "null" -> to discard all messages logged to syslog + // The default is "null" + // +optional + Destination string `json:"destination,omitempty"` + + // SyslogFacility the RFC5424 facility for generated messages, e.g. "kern". Default is "local0" + // +optional + SyslogFacility string `json:"syslogFacility,omitempty"` +} + // NetworkType describes the network plugin type to configure type NetworkType string diff --git a/operator/v1/zz_generated.deepcopy.go b/operator/v1/zz_generated.deepcopy.go index 753cc427ad7..065e831158a 100644 --- a/operator/v1/zz_generated.deepcopy.go +++ b/operator/v1/zz_generated.deepcopy.go @@ -2374,6 +2374,11 @@ func (in *OVNKubernetesConfig) DeepCopyInto(out *OVNKubernetesConfig) { *out = new(IPsecConfig) **out = **in } + if in.PolicyAuditConfig != nil { + in, out := &in.PolicyAuditConfig, &out.PolicyAuditConfig + *out = new(PolicyAuditConfig) + (*in).DeepCopyInto(*out) + } return } @@ -2676,6 +2681,32 @@ func (in *OperatorStatus) DeepCopy() *OperatorStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyAuditConfig) DeepCopyInto(out *PolicyAuditConfig) { + *out = *in + if in.RateLimit != nil { + in, out := &in.RateLimit, &out.RateLimit + *out = new(uint32) + **out = **in + } + if in.MaxFileSize != nil { + in, out := &in.MaxFileSize, &out.MaxFileSize + *out = new(uint32) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyAuditConfig. +func (in *PolicyAuditConfig) DeepCopy() *PolicyAuditConfig { + if in == nil { + return nil + } + out := new(PolicyAuditConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PrivateStrategy) DeepCopyInto(out *PrivateStrategy) { *out = *in diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go index 1465cd9bce3..6a7dd303cf5 100644 --- a/operator/v1/zz_generated.swagger_doc_generated.go +++ b/operator/v1/zz_generated.swagger_doc_generated.go @@ -894,6 +894,7 @@ var map_OVNKubernetesConfig = map[string]string{ "genevePort": "geneve port is the UDP port to be used by geneve encapulation. Default is 6081", "hybridOverlayConfig": "HybridOverlayConfig configures an additional overlay network for peers that are not using OVN.", "ipsecConfig": "ipsecConfig enables and configures IPsec for pods on the pod network within the cluster.", + "policyAuditConfig": "PolicyAuditConfig is the configuration for network policy audit events. If unset, reported defaults are used.", } func (OVNKubernetesConfig) SwaggerDoc() map[string]string { @@ -913,6 +914,17 @@ func (OpenShiftSDNConfig) SwaggerDoc() map[string]string { return map_OpenShiftSDNConfig } +var map_PolicyAuditConfig = map[string]string{ + "rateLimit": "RateLimit is the approximate maximum number of messages to generate per-second per-node. If unset the default of 20 msg/sec is used.", + "maxFileSize": "MaxFilesSize is the max size an ACL_audit log file is allowed to reach before rotation occurs Default is 50MB", + "destination": "Messages are output in syslog format. Destination is the destination for policy log messages. Regardless of this config logs will always be dumped to ovn at /var/log/ovn/ however you may also configure additional output as follows. Messages are output in syslog format. Valid values are: - \"libc\" -> to use the libc syslog() function of the host node's journdald process - \"udp:host:port\" -> for sending syslog over UDP - \"unix:file\" -> for using the UNIX domain socket directly - \"null\" -> to discard all messages logged to syslog The default is \"null\"", + "syslogFacility": "SyslogFacility the RFC5424 facility for generated messages, e.g. \"kern\". Default is \"local0\"", +} + +func (PolicyAuditConfig) SwaggerDoc() map[string]string { + return map_PolicyAuditConfig +} + var map_ProxyConfig = map[string]string{ "": "ProxyConfig defines the configuration knobs for kubeproxy All of these are optional and have sensible defaults", "iptablesSyncPeriod": "An internal kube-proxy parameter. In older releases of OCP, this sometimes needed to be adjusted in large clusters for performance reasons, but this is no longer necessary, and there is no reason to change this from the default value. Default: 30s",