KEP-555: omit managed fields from audit log #2982

tkashem · 2021-09-21T16:57:12Z

No description provided.

tkashem · 2021-09-21T16:57:38Z

sttts · 2021-09-22T07:26:19Z

keps/sig-api-machinery/555-server-side-apply/README.md

+	OmitManagedFields *bool `json:"omitManagedFields,omitempty"`
+}
+```
+The above API changes will be introduced in `v1`, `v1beta1` and `v1alpha1` of `audit.k8s.io`


we never roundtrip these, do we? So technically we could do this in v1 only.

But there's no harm in doing it in all, no?

only that we encourage use of v1 by not implementing new stuff in old versions.

sttts · 2021-09-22T07:27:55Z

Sgtm.

/assign @deads2k @liggitt

lavalamp · 2021-09-22T15:46:47Z

/approve
/lgtm

/hold

(hold for someone from sig auth to ack)

k8s-ci-robot · 2021-09-22T15:47:11Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lavalamp, tkashem

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~keps/sig-api-machinery/OWNERS~~ [lavalamp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

tkashem · 2021-09-22T18:56:40Z

/assign @ritazh @enj

liggitt · 2021-09-22T19:00:44Z

looks reasonable to me

ritazh · 2021-09-23T17:23:32Z

keps/sig-api-machinery/555-server-side-apply/README.md

+
+A new field `OmitManagedFields` is added to both `Policy` and `PolicyRule` making the following possible:
+- `Policy.OmitManagedFields` sets the default policy for omitting managed fields globally.
+  - the default value is `false`, managed fields are not omitted, this retains the current behavior.


Any plans for changing the default value in a future release since the fields may not be very useful? making it opt-out instead?

not that i am aware of, primarily we didn't want to quietly drop managed fields from audit log. The level RequestResponse stipulates that the response object in its "entirety" is being audited, so if we are to drop any fields from the audit log then I think it should be an opt-in by the operator.

ritazh · 2021-09-27T18:30:35Z

/lgtm

sttts · 2021-09-28T07:37:36Z

sig-auth has reviewed with @ritazh and @liggitt.

/hold cancel

apelisse · 2021-10-25T15:43:51Z

Any chance we can back-port this into former releases since this is causing problems for people? This can be worked around by removing managed fields from big objects, but that's not super convenient?

wojtek-t · 2021-10-25T16:10:50Z

Any chance we can back-port this into former releases since this is causing problems for people? This can be worked around by removing managed fields from big objects, but that's not super convenient?

Backporting API change doesn't sound like the best idea to me.
@liggitt ^^?

tkashem · 2021-10-25T17:18:22Z

FYI - kubernetes/kubernetes#94986 implements the KEP.

SSA: omit managed fields from audit log

70b5394

k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory labels Sep 21, 2021

k8s-ci-robot requested review from deads2k and lavalamp September 21, 2021 16:57

k8s-ci-robot added the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Sep 21, 2021

k8s-ci-robot assigned lavalamp Sep 21, 2021

tkashem mentioned this pull request Sep 21, 2021

drop managed fields from audit entries kubernetes/kubernetes#94986

Merged

sttts reviewed Sep 22, 2021

View reviewed changes

k8s-ci-robot assigned deads2k and liggitt Sep 22, 2021

k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Sep 22, 2021

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 22, 2021

k8s-ci-robot assigned enj and ritazh Sep 22, 2021

ritazh reviewed Sep 23, 2021

View reviewed changes

k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 28, 2021

k8s-ci-robot merged commit c8441d9 into kubernetes:master Sep 28, 2021

k8s-ci-robot added this to the v1.23 milestone Sep 28, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

KEP-555: omit managed fields from audit log #2982

KEP-555: omit managed fields from audit log #2982

tkashem commented Sep 21, 2021

tkashem commented Sep 21, 2021

sttts Sep 22, 2021

lavalamp Sep 22, 2021

sttts Sep 23, 2021

sttts commented Sep 22, 2021

lavalamp commented Sep 22, 2021

k8s-ci-robot commented Sep 22, 2021

tkashem commented Sep 22, 2021

liggitt commented Sep 22, 2021

ritazh Sep 23, 2021

tkashem Sep 23, 2021

ritazh commented Sep 27, 2021

sttts commented Sep 28, 2021

apelisse commented Oct 25, 2021

wojtek-t commented Oct 25, 2021

tkashem commented Oct 25, 2021

KEP-555: omit managed fields from audit log #2982

KEP-555: omit managed fields from audit log #2982

Conversation

tkashem commented Sep 21, 2021

tkashem commented Sep 21, 2021

sttts Sep 22, 2021

Choose a reason for hiding this comment

lavalamp Sep 22, 2021

Choose a reason for hiding this comment

sttts Sep 23, 2021

Choose a reason for hiding this comment

sttts commented Sep 22, 2021

lavalamp commented Sep 22, 2021

k8s-ci-robot commented Sep 22, 2021

tkashem commented Sep 22, 2021

liggitt commented Sep 22, 2021

ritazh Sep 23, 2021

Choose a reason for hiding this comment

tkashem Sep 23, 2021

Choose a reason for hiding this comment

ritazh commented Sep 27, 2021

sttts commented Sep 28, 2021

apelisse commented Oct 25, 2021

wojtek-t commented Oct 25, 2021

tkashem commented Oct 25, 2021