apiVersion: operator.openshift.io/v1
kind: Network
metadata:
name: cluster
spec:
defaultNetwork:
ovnKubernetesConfig:
policyAuditConfig:
destination: "null"
maxFileSize: 50
rateLimit: 20
syslogFacility: local0
×
网络安全审计日志
OVN-Kubernetes网络插件使用开放虚拟网络(OVN)访问控制列表(ACL)来管理AdminNetworkPolicy、BaselineAdminNetworkPolicy、NetworkPolicy和EgressFirewall对象。审计日志记录公开NetworkPolicy、EgressFirewall和BaselineAdminNetworkPolicy自定义资源(CR)的allow和deny ACL事件。日志记录还公开AdminNetworkPolicy (ANP) CR的allow、deny和pass ACL事件。
|
审计日志记录仅适用于OVN-Kubernetes网络插件。 |
审计配置
审计日志记录的配置指定为OVN-Kubernetes集群网络提供程序配置的一部分。以下YAML说明了审计日志记录的默认值。
审计日志记录配置
下表描述了审计日志记录的配置字段。
| 字段 | 类型 | 描述 |
|---|---|---|
|
整数 |
每个节点每秒生成的最多消息数。默认值为每秒 |
|
整数 |
审计日志的最大大小(以字节为单位)。默认值为 |
|
整数 |
保留的最大日志文件数。 |
|
字符串 |
以下附加审计日志目标之一
|
|
字符串 |
syslog工具,例如 |
审计日志记录
您可以配置审计日志的目标,例如syslog服务器或UNIX域套接字。无论任何其他配置如何,审计日志始终保存在集群中每个OVN-Kubernetes Pod上的/var/log/ovn/acl-audit-log.log。
您可以通过使用k8s.ovn.org/acl-logging部分注释每个命名空间配置来为每个命名空间启用审计日志记录。在k8s.ovn.org/acl-logging部分中,必须指定allow、deny或两者以启用命名空间的审计日志记录。
|
网络策略不支持将 |
ACL 日志记录实现会记录网络的访问控制列表 (ACL) 事件。您可以查看这些日志以分析任何潜在的安全问题。
示例命名空间注解
kind: Namespace
apiVersion: v1
metadata:
name: example1
annotations:
k8s.ovn.org/acl-logging: |-
{
"deny": "info",
"allow": "info"
}要查看默认的 ACL 日志记录配置值,请参阅cluster-network-03-config.yml 文件中的policyAuditConfig 对象。如有必要,您可以在此文件中更改日志文件参数的 ACL 日志记录配置值。
日志消息格式与 RFC5424 定义的 syslog 兼容。syslog 设施是可配置的,默认为local0。以下示例显示了在日志消息中输出的关键参数及其值。
输出参数及其值的示例日志消息
<timestamp>|<message_serial>|acl_log(ovn_pinctrl0)|<severity>|name="<acl_name>", verdict="<verdict>", severity="<severity>", direction="<direction>": <flow>其中
-
<timestamp>表示创建日志消息的时间和日期。 -
<message_serial>列出日志消息的序列号。 -
acl_log(ovn_pinctrl0)是一个字面字符串,用于打印日志消息在 OVN-Kubernetes 插件中的位置。 -
<severity>设置日志消息的严重性级别。如果您启用了支持allow和deny任务的审计日志记录,则日志消息输出中会显示两个严重性级别。 -
<name>表示网络策略创建的 OVN 网络桥接数据库 (nbdb) 中 ACL 日志记录实现的名称。 -
<verdict>可以是allow或drop。 -
<direction>可以是to-lport或from-lport,表示该策略应用于进出 Pod 的流量。 -
<flow>以与OpenFlow协议等效的格式显示数据包信息。此参数包含 Open vSwitch (OVS) 字段。
以下示例显示flow 参数用于从系统内存中提取数据包信息的 OVS 字段。
flow 参数用于提取数据包信息的 OVS 字段示例<proto>,vlan_tci=0x0000,dl_src=<src_mac>,dl_dst=<source_mac>,nw_src=<source_ip>,nw_dst=<target_ip>,nw_tos=<tos_dscp>,nw_ecn=<tos_ecn>,nw_ttl=<ip_ttl>,nw_frag=<fragment>,tp_src=<tcp_src_port>,tp_dst=<tcp_dst_port>,tcp_flags=<tcp_flags>其中
-
<proto>表示协议。有效值为tcp和udp。 -
vlan_tci=0x0000将 VLAN 标头设置为0,因为内部 Pod 网络流量未设置 VLAN ID。 -
<src_mac>指定媒体访问控制 (MAC) 地址的源。 -
<source_mac>指定 MAC 地址的目标。 -
<source_ip>列出源 IP 地址。 -
<target_ip>列出目标 IP 地址。 -
<tos_dscp>表示区分服务代码点 (DSCP) 值,用于对某些网络流量进行分类和优先级排序。 -
<tos_ecn>表示显式拥塞通知 (ECN) 值,指示网络中任何拥塞的流量。 -
<ip_ttl>表示数据包的生存时间 (TTL) 信息。 -
<fragment>指定要匹配的 IP 片段或非 IP 片段类型。 -
<tcp_src_port>显示 TCP 和 UDP 协议的端口源。 -
<tcp_dst_port>列出 TCP 和 UDP 协议的目标端口。 -
<tcp_flags>支持许多标志,例如SYN、ACK、PSH等。如果您需要设置多个值,则每个值之间用竖线 (|) 分隔。UDP 协议不支持此参数。
|
有关前面字段描述的更多信息,请访问 OVS 手册页,了解 |
网络策略的示例 ACL 拒绝日志条目
2023-11-02T16:28:54.139Z|00004|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:Ingress", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:01,dl_dst=0a:58:0a:81:02:23,nw_src=10.131.0.39,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=62,nw_frag=no,tp_src=58496,tp_dst=8080,tcp_flags=syn
2023-11-02T16:28:55.187Z|00005|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:Ingress", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:01,dl_dst=0a:58:0a:81:02:23,nw_src=10.131.0.39,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=62,nw_frag=no,tp_src=58496,tp_dst=8080,tcp_flags=syn
2023-11-02T16:28:57.235Z|00006|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:Ingress", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:01,dl_dst=0a:58:0a:81:02:23,nw_src=10.131.0.39,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=62,nw_frag=no,tp_src=58496,tp_dst=8080,tcp_flags=syn下表描述了命名空间注解值
| 字段 | 描述 |
|---|---|
|
阻止命名空间访问与具有 |
|
允许命名空间访问与具有 |
|
|
其他资源
AdminNetworkPolicy 审计日志记录
通过使用k8s.ovn.org/acl-logging 键对 ANP 策略添加注解,在每个AdminNetworkPolicy CR 中启用审计日志记录,例如以下示例所示。
AdminNetworkPolicy CR 注解示例
apiVersion: policy.networking.k8s.io/v1alpha1
kind: AdminNetworkPolicy
metadata:
annotations:
k8s.ovn.org/acl-logging: '{ "deny": "alert", "allow": "alert", "pass" : "warning" }'
name: anp-tenant-log
spec:
priority: 5
subject:
namespaces:
matchLabels:
tenant: backend-storage # Selects all pods owned by storage tenant.
ingress:
- name: "allow-all-ingress-product-development-and-customer" # Product development and customer tenant ingress to backend storage.
action: "Allow"
from:
- pods:
namespaceSelector:
matchExpressions:
- key: tenant
operator: In
values:
- product-development
- customer
podSelector: {}
- name: "pass-all-ingress-product-security"
action: "Pass"
from:
- namespaces:
matchLabels:
tenant: product-security
- name: "deny-all-ingress" # Ingress to backend from all other pods in the cluster.
action: "Deny"
from:
- namespaces: {}
egress:
- name: "allow-all-egress-product-development"
action: "Allow"
to:
- pods:
namespaceSelector:
matchLabels:
tenant: product-development
podSelector: {}
- name: "pass-egress-product-security"
action: "Pass"
to:
- namespaces:
matchLabels:
tenant: product-security
- name: "deny-all-egress" # Egress from backend denied to all other pods.
action: "Deny"
to:
- namespaces: {}每当特定 OVN ACL 被命中并满足日志记录注解中设置的操作条件时,就会生成日志。例如,任何具有标签tenant: product-development 的命名空间访问具有标签tenant: backend-storage 的命名空间的事件都会生成日志。
|
ACL 日志记录限制为 60 个字符。如果您的 ANP |
以下是后续示例日志条目的方向索引
| 方向 | 规则 |
|---|---|
入口 |
|
出口 |
|
名为anp-tenant-log 的AdminNetworkPolicy 的允许操作的示例 ACL 日志条目,入口:0 和出口:0
2024-06-10T16:27:45.194Z|00052|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:1a,dl_dst=0a:58:0a:80:02:19,nw_src=10.128.2.26,nw_dst=10.128.2.25,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=57814,tp_dst=8080,tcp_flags=syn
2024-06-10T16:28:23.130Z|00059|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:18,dl_dst=0a:58:0a:80:02:19,nw_src=10.128.2.24,nw_dst=10.128.2.25,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=38620,tp_dst=8080,tcp_flags=ack
2024-06-10T16:28:38.293Z|00069|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Egress:0", verdict=allow, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:19,dl_dst=0a:58:0a:80:02:1a,nw_src=10.128.2.25,nw_dst=10.128.2.26,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=47566,tp_dst=8080,tcp_flags=fin|ack=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=55704,tp_dst=8080,tcp_flags=ack名为anp-tenant-log 的AdminNetworkPolicy 的允许操作的示例 ACL 日志条目,入口:1 和出口:1
2024-06-10T16:33:12.019Z|00075|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Ingress:1", verdict=pass, severity=warning, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:1b,dl_dst=0a:58:0a:80:02:19,nw_src=10.128.2.27,nw_dst=10.128.2.25,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=37394,tp_dst=8080,tcp_flags=ack
2024-06-10T16:35:04.209Z|00081|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Egress:1", verdict=pass, severity=warning, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:19,dl_dst=0a:58:0a:80:02:1b,nw_src=10.128.2.25,nw_dst=10.128.2.27,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=34018,tp_dst=8080,tcp_flags=ack名为anp-tenant-log 的AdminNetworkPolicy 的拒绝操作的示例 ACL 日志条目,出口:2 和入口:2
2024-06-10T16:43:05.287Z|00087|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Egress:2", verdict=drop, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:19,dl_dst=0a:58:0a:80:02:18,nw_src=10.128.2.25,nw_dst=10.128.2.24,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=51598,tp_dst=8080,tcp_flags=syn
2024-06-10T16:44:43.591Z|00090|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Ingress:2", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:1c,dl_dst=0a:58:0a:80:02:19,nw_src=10.128.2.28,nw_dst=10.128.2.25,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=33774,tp_dst=8080,tcp_flags=syn下表描述了 ANP 注解
| 注解 | 值 |
|---|---|
|
您必须至少指定一个
|
BaselineAdminNetworkPolicy 审计日志记录
通过使用k8s.ovn.org/acl-logging 键对 BANP 策略添加注解,在BaselineAdminNetworkPolicy CR 中启用审计日志记录,例如以下示例所示。
BaselineAdminNetworkPolicy CR 注解示例
apiVersion: policy.networking.k8s.io/v1alpha1
kind: BaselineAdminNetworkPolicy
metadata:
annotations:
k8s.ovn.org/acl-logging: '{ "deny": "alert", "allow": "alert"}'
name: default
spec:
subject:
namespaces:
matchLabels:
tenant: workloads # Selects all workload pods in the cluster.
ingress:
- name: "default-allow-dns" # This rule allows ingress from dns tenant to all workloads.
action: "Allow"
from:
- namespaces:
matchLabels:
tenant: dns
- name: "default-deny-dns" # This rule denies all ingress from all pods to workloads.
action: "Deny"
from:
- namespaces: {} # Use the empty selector with caution because it also selects OpenShift namespaces as well.
egress:
- name: "default-deny-dns" # This rule denies all egress from workloads. It will be applied when no ANP or network policy matches.
action: "Deny"
to:
- namespaces: {} # Use the empty selector with caution because it also selects OpenShift namespaces as well.例如,任何带有标签tenant: dns的命名空间访问带有标签tenant: workloads的命名空间时,都会生成日志。
以下是后续示例日志条目的方向索引
| 方向 | 规则 |
|---|---|
入口 |
|
出口 |
|
default BANP 的Ingress:0 的允许操作的示例ACL允许日志条目
2024-06-10T18:11:58.263Z|00022|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:57,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.87,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=60510,tp_dst=8080,tcp_flags=syn
2024-06-10T18:11:58.264Z|00023|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:57,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.87,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=60510,tp_dst=8080,tcp_flags=psh|ack
2024-06-10T18:11:58.264Z|00024|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:57,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.87,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=60510,tp_dst=8080,tcp_flags=ack
2024-06-10T18:11:58.264Z|00025|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:57,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.87,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=60510,tp_dst=8080,tcp_flags=ack
2024-06-10T18:11:58.264Z|00026|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:57,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.87,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=60510,tp_dst=8080,tcp_flags=fin|ack
2024-06-10T18:11:58.264Z|00027|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:57,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.87,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=60510,tp_dst=8080,tcp_flags=ackdefault BANP 的Egress:0 和Ingress:1 的允许操作的示例ACL允许日志条目
2024-06-10T18:09:57.774Z|00016|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Egress:0", verdict=drop, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:56,dl_dst=0a:58:0a:82:02:57,nw_src=10.130.2.86,nw_dst=10.130.2.87,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=45614,tp_dst=8080,tcp_flags=syn
2024-06-10T18:09:58.809Z|00017|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Egress:0", verdict=drop, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:56,dl_dst=0a:58:0a:82:02:57,nw_src=10.130.2.86,nw_dst=10.130.2.87,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=45614,tp_dst=8080,tcp_flags=syn
2024-06-10T18:10:00.857Z|00018|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Egress:0", verdict=drop, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:56,dl_dst=0a:58:0a:82:02:57,nw_src=10.130.2.86,nw_dst=10.130.2.87,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=45614,tp_dst=8080,tcp_flags=syn
2024-06-10T18:10:25.414Z|00019|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:1", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:58,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.88,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=40630,tp_dst=8080,tcp_flags=syn
2024-06-10T18:10:26.457Z|00020|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:1", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:58,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.88,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=40630,tp_dst=8080,tcp_flags=syn
2024-06-10T18:10:28.505Z|00021|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:1", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:58,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.88,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=40630,tp_dst=8080,tcp_flags=syn下表描述了BANP注解
| 注解 | 值 |
|---|---|
|
必须至少指定
|
配置集群的出口防火墙和网络策略审计
作为集群管理员,您可以自定义集群的审计日志记录。
先决条件
-
安装OpenShift CLI (
oc)。 -
使用具有
cluster-admin权限的用户登录集群。
步骤
-
要自定义审计日志记录配置,请输入以下命令
$ oc edit network.operator.openshift.io/cluster或者,您可以自定义并应用以下YAML来配置审计日志记录
apiVersion: operator.openshift.io/v1 kind: Network metadata: name: cluster spec: defaultNetwork: ovnKubernetesConfig: policyAuditConfig: destination: "null" maxFileSize: 50 rateLimit: 20 syslogFacility: local0
验证
-
要创建具有网络策略的命名空间,请完成以下步骤
-
创建一个用于验证的命名空间
$ cat <<EOF| oc create -f - kind: Namespace apiVersion: v1 metadata: name: verify-audit-logging annotations: k8s.ovn.org/acl-logging: '{ "deny": "alert", "allow": "alert" }' EOF示例输出namespace/verify-audit-logging created -
为命名空间创建网络策略
$ cat <<EOF| oc create -n verify-audit-logging -f - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: matchLabels: policyTypes: - Ingress - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-same-namespace namespace: verify-audit-logging spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - podSelector: {} egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: verify-audit-logging EOF示例输出networkpolicy.networking.k8s.io/deny-all created networkpolicy.networking.k8s.io/allow-from-same-namespace created
-
-
在
default命名空间中为源流量创建一个pod$ cat <<EOF| oc create -n default -f - apiVersion: v1 kind: Pod metadata: name: client spec: containers: - name: client image: registry.access.redhat.com/rhel7/rhel-tools command: ["/bin/sh", "-c"] args: ["sleep inf"] EOF -
在
verify-audit-logging命名空间中创建两个pod$ for name in client server; do cat <<EOF| oc create -n verify-audit-logging -f - apiVersion: v1 kind: Pod metadata: name: ${name} spec: containers: - name: ${name} image: registry.access.redhat.com/rhel7/rhel-tools command: ["/bin/sh", "-c"] args: ["sleep inf"] EOF done示例输出pod/client created pod/server created -
要生成流量并生成网络策略审计日志条目,请完成以下步骤
-
获取
verify-audit-logging命名空间中名为server的pod的IP地址$ POD_IP=$(oc get pods server -n verify-audit-logging -o jsonpath='{.status.podIP}') -
从
default命名空间中名为client的pod ping 上一步命令中的IP地址,并确认所有数据包都被丢弃$ oc exec -it client -n default -- /bin/ping -c 2 $POD_IP示例输出PING 10.128.2.55 (10.128.2.55) 56(84) bytes of data. --- 10.128.2.55 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 2041ms -
从
verify-audit-logging命名空间中名为client的pod ping保存在POD_IPshell环境变量中的IP地址,并确认所有数据包都被允许$ oc exec -it client -n verify-audit-logging -- /bin/ping -c 2 $POD_IP示例输出PING 10.128.0.86 (10.128.0.86) 56(84) bytes of data. 64 bytes from 10.128.0.86: icmp_seq=1 ttl=64 time=2.21 ms 64 bytes from 10.128.0.86: icmp_seq=2 ttl=64 time=0.440 ms --- 10.128.0.86 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.440/1.329/2.219/0.890 ms
-
-
显示网络策略审计日志中的最新条目
$ for pod in $(oc get pods -n openshift-ovn-kubernetes -l app=ovnkube-node --no-headers=true | awk '{ print $1 }') ; do oc exec -it $pod -n openshift-ovn-kubernetes -- tail -4 /var/log/ovn/acl-audit-log.log done示例输出2023-11-02T16:28:54.139Z|00004|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:Ingress", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:01,dl_dst=0a:58:0a:81:02:23,nw_src=10.131.0.39,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=62,nw_frag=no,tp_src=58496,tp_dst=8080,tcp_flags=syn 2023-11-02T16:28:55.187Z|00005|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:Ingress", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:01,dl_dst=0a:58:0a:81:02:23,nw_src=10.131.0.39,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=62,nw_frag=no,tp_src=58496,tp_dst=8080,tcp_flags=syn 2023-11-02T16:28:57.235Z|00006|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:Ingress", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:01,dl_dst=0a:58:0a:81:02:23,nw_src=10.131.0.39,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=62,nw_frag=no,tp_src=58496,tp_dst=8080,tcp_flags=syn 2023-11-02T16:49:57.909Z|00028|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:allow-from-same-namespace:Egress:0", verdict=allow, severity=alert, direction=from-lport: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:22,dl_dst=0a:58:0a:81:02:23,nw_src=10.129.2.34,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0 2023-11-02T16:49:57.909Z|00029|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:allow-from-same-namespace:Ingress:0", verdict=allow, severity=alert, direction=to-lport: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:22,dl_dst=0a:58:0a:81:02:23,nw_src=10.129.2.34,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0 2023-11-02T16:49:58.932Z|00030|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:allow-from-same-namespace:Egress:0", verdict=allow, severity=alert, direction=from-lport: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:22,dl_dst=0a:58:0a:81:02:23,nw_src=10.129.2.34,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0 2023-11-02T16:49:58.932Z|00031|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:allow-from-same-namespace:Ingress:0", verdict=allow, severity=alert, direction=to-lport: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:22,dl_dst=0a:58:0a:81:02:23,nw_src=10.129.2.34,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0
为命名空间启用出口防火墙和网络策略审计日志记录
作为集群管理员,您可以为命名空间启用审计日志记录。
先决条件
-
安装OpenShift CLI (
oc)。 -
使用具有
cluster-admin权限的用户登录集群。
步骤
-
要为命名空间启用审计日志记录,请输入以下命令
$ oc annotate namespace <namespace> \ k8s.ovn.org/acl-logging='{ "deny": "alert", "allow": "notice" }'其中
<namespace>-
指定命名空间的名称。
或者,您可以应用以下YAML来启用审计日志记录
kind: Namespace apiVersion: v1 metadata: name: <namespace> annotations: k8s.ovn.org/acl-logging: |- { "deny": "alert", "allow": "notice" }示例输出namespace/verify-audit-logging annotated
验证
-
显示审计日志中的最新条目
$ for pod in $(oc get pods -n openshift-ovn-kubernetes -l app=ovnkube-node --no-headers=true | awk '{ print $1 }') ; do oc exec -it $pod -n openshift-ovn-kubernetes -- tail -4 /var/log/ovn/acl-audit-log.log done示例输出2023-11-02T16:49:57.909Z|00028|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:allow-from-same-namespace:Egress:0", verdict=allow, severity=alert, direction=from-lport: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:22,dl_dst=0a:58:0a:81:02:23,nw_src=10.129.2.34,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0 2023-11-02T16:49:57.909Z|00029|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:allow-from-same-namespace:Ingress:0", verdict=allow, severity=alert, direction=to-lport: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:22,dl_dst=0a:58:0a:81:02:23,nw_src=10.129.2.34,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0 2023-11-02T16:49:58.932Z|00030|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:allow-from-same-namespace:Egress:0", verdict=allow, severity=alert, direction=from-lport: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:22,dl_dst=0a:58:0a:81:02:23,nw_src=10.129.2.34,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0 2023-11-02T16:49:58.932Z|00031|acl_log(ovn_pinctrl0)|INFO|name="NP:verify-audit-logging:allow-from-same-namespace:Ingress:0", verdict=allow, severity=alert, direction=to-lport: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:22,dl_dst=0a:58:0a:81:02:23,nw_src=10.129.2.34,nw_dst=10.129.2.35,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0
禁用命名空间的出口防火墙和网络策略审计日志记录
作为集群管理员,您可以禁用命名空间的审计日志记录。
先决条件
-
安装OpenShift CLI (
oc)。 -
使用具有
cluster-admin权限的用户登录集群。
步骤
-
要禁用命名空间的审计日志记录,请输入以下命令
$ oc annotate --overwrite namespace <namespace> k8s.ovn.org/acl-logging-其中
<namespace>-
指定命名空间的名称。
或者,您可以应用以下YAML来禁用审计日志记录
kind: Namespace apiVersion: v1 metadata: name: <namespace> annotations: k8s.ovn.org/acl-logging: null示例输出namespace/verify-audit-logging annotated