New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEP-555: omit managed fields from audit log #2982
KEP-555: omit managed fields from audit log #2982
Conversation
/assign @lavalamp |
OmitManagedFields *bool `json:"omitManagedFields,omitempty"` | ||
} | ||
``` | ||
The above API changes will be introduced in `v1`, `v1beta1` and `v1alpha1` of `audit.k8s.io` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we never roundtrip these, do we? So technically we could do this in v1 only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But there's no harm in doing it in all, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
only that we encourage use of v1 by not implementing new stuff in old versions.
/approve /hold (hold for someone from sig auth to ack) |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lavalamp, tkashem The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
looks reasonable to me |
|
||
A new field `OmitManagedFields` is added to both `Policy` and `PolicyRule` making the following possible: | ||
- `Policy.OmitManagedFields` sets the default policy for omitting managed fields globally. | ||
- the default value is `false`, managed fields are not omitted, this retains the current behavior. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any plans for changing the default value in a future release since the fields may not be very useful? making it opt-out instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not that i am aware of, primarily we didn't want to quietly drop managed fields from audit log. The level RequestResponse
stipulates that the response object in its "entirety" is being audited, so if we are to drop any fields from the audit log then I think it should be an opt-in by the operator.
/lgtm |
Any chance we can back-port this into former releases since this is causing problems for people? This can be worked around by removing managed fields from big objects, but that's not super convenient? |
Backporting API change doesn't sound like the best idea to me. |
FYI - kubernetes/kubernetes#94986 implements the KEP. |
No description provided.