红帽全球峰会1.24. 策略合规历史记录(技术预览)(已弃用)
1.24.1. 概述
如果您希望长期存储 Red Hat Advanced Cluster Management for Kubernetes 策略合规事件,策略合规历史记录 API 是一个可选的技术预览功能。您可以使用 API 获取额外详情,如 spec 字段来审核和排除您的策略,并在策略被禁用或从集群中删除时获取合规性事件。策略合规历史记录 API 也可以生成以逗号分隔的值(CSV)电子策略合规事件表,以帮助您进行审核和故障排除。
1.24.1.1. 版本信息
版本 : 2.12.0
1.24.2. API 端点
1.24.2.1. 列出策略合规事件
/api/v1/compliance-events
这会列出您默认有权访问的所有策略合规事件。响应格式如下,默认根据 event.timestamp 进行排序:
{
"data": [
{
"id": 2,
"cluster": {
"name": "cluster1",
"cluster_id": "215ce184-8dee-4cab-b99b-1f8f29dff611"
},
"parent_policy": {
"id": 3,
"name": "configure-custom-app",
"namespace": "policies",
"catageories": ["CM Configuration Management"],
"controls": ["CM-2 Baseline Configuration"],
"standards": ["NIST SP 800-53"]
},
"policy": {
"apiGroup": "policy.open-cluster-management.io",
"id": 2,
"kind": "ConfigurationPolicy",
"name": "configure-custom-app",
"namespace": "",
// Only shown with `?include_spec`
"spec": {}
},
"event": {
"compliance": "NonCompliant",
"message": "configmaps [app-data] not found in namespace default",
"timestamp": "2023-07-19T18:25:43.511Z",
"metadata": {}
}
},
{
"id": 1,
"cluster": {
"name": "cluster2",
"cluster_id": "415ce234-8dee-4cab-b99b-1f8f29dff461"
},
"parent_policy": {
"id": 3,
"name": "configure-custom-app",
"namespace": "policies",
"catageories": ["CM Configuration Management"],
"controls": ["CM-2 Baseline Configuration"],
"standards": ["NIST SP 800-53"]
},
"policy": {
"apiGroup": "policy.open-cluster-management.io",
"id": 4,
"kind": "ConfigurationPolicy",
"name": "configure-custom-app",
"namespace": "",
// Only shown with `?include_spec`
"spec": {}
},
"event": {
"compliance": "Compliant",
"message": "configmaps [app-data] found as specified in namespace default",
"timestamp": "2023-07-19T18:25:41.523Z",
"metadata": {}
}
}
],
"metadata": {
"page": 1,
"pages": 7,
"per_page": 20,
"total": 123
}
}
{
"data": [
{
"id": 2,
"cluster": {
"name": "cluster1",
"cluster_id": "215ce184-8dee-4cab-b99b-1f8f29dff611"
},
"parent_policy": {
"id": 3,
"name": "configure-custom-app",
"namespace": "policies",
"catageories": ["CM Configuration Management"],
"controls": ["CM-2 Baseline Configuration"],
"standards": ["NIST SP 800-53"]
},
"policy": {
"apiGroup": "policy.open-cluster-management.io",
"id": 2,
"kind": "ConfigurationPolicy",
"name": "configure-custom-app",
"namespace": "",
// Only shown with `?include_spec`
"spec": {}
},
"event": {
"compliance": "NonCompliant",
"message": "configmaps [app-data] not found in namespace default",
"timestamp": "2023-07-19T18:25:43.511Z",
"metadata": {}
}
},
{
"id": 1,
"cluster": {
"name": "cluster2",
"cluster_id": "415ce234-8dee-4cab-b99b-1f8f29dff461"
},
"parent_policy": {
"id": 3,
"name": "configure-custom-app",
"namespace": "policies",
"catageories": ["CM Configuration Management"],
"controls": ["CM-2 Baseline Configuration"],
"standards": ["NIST SP 800-53"]
},
"policy": {
"apiGroup": "policy.open-cluster-management.io",
"id": 4,
"kind": "ConfigurationPolicy",
"name": "configure-custom-app",
"namespace": "",
// Only shown with `?include_spec`
"spec": {}
},
"event": {
"compliance": "Compliant",
"message": "configmaps [app-data] found as specified in namespace default",
"timestamp": "2023-07-19T18:25:41.523Z",
"metadata": {}
}
}
],
"metadata": {
"page": 1,
"pages": 7,
"per_page": 20,
"total": 123
}
}
以下可选查询参数被接受。请注意,如果没有描述的那些只在它引用的字段上过滤。参数值 null 代表没有值。另外,可以使用逗号指定多个值。例如,?cluster.name=cluster1,cluster2 用于 "or" 过滤。如果需要,可以使用 \ 转义逗号。
| 查询参数 | 描述 |
|---|---|
| cluster.cluster_id | |
| cluster.name | |
| direction |
排序方向。默认值为 |
| event.compliance | |
| event.message_includes | 用于包含输入字符串的合规性消息的过滤器。仅支持单个值。 |
| event.message_like |
用于合规性消息的 SQL |
| event.reported_by | |
| event.timestamp | |
| event.timestamp_after |
RFC 3339 时间戳,用于仅在此时间后才会显示合规事件。例如: |
| event.timestamp_before |
RFC 3339 时间戳,用于仅显示此时间前的合规性事件。例如: |
| id | |
| include_spec |
在返回值中包含策略的 |
| page |
查询中的页面号。默认值为 |
| parent_policy.categories | |
| parent_policy.controls | |
| parent_policy.id | |
| parent_policy.name | |
| parent_policy.namespace | |
| parent_policy.standards | |
| per_page |
每个页面返回的合规事件数量。默认值为 |
| policy.apiGroup | |
| policy.id | |
| policy.kind | |
| policy.name | |
| policy.namespace | |
| policy.severity | |
| 排序 |
要排序的字段。默认为 |
1.24.2.2. 选择单个策略合规事件
/api/v1/compliance-events/<id>
您可以通过指定数据库 ID 来选择单个策略合规事件。例如,/api/v1/compliance-events/1 选择 ID 为 1 的合规性事件。返回值的格式如下:
{
"id": 1,
"cluster": {
"name": "cluster2",
"cluster_id": "415ce234-8dee-4cab-b99b-1f8f29dff461"
},
"parent_policy": {
"id": 2,
"name": "etcd-encryption",
"namespace": "policies",
"catageories": ["CM Configuration Management"],
"controls": ["CM-2 Baseline Configuration"],
"standards": ["NIST SP 800-53"]
},
"policy": {
"apiGroup": "policy.open-cluster-management.io",
"id": 4,
"kind": "ConfigurationPolicy",
"name": "etcd-encryption",
"namespace": "",
"spec": {}
},
"event": {
"compliance": "Compliant",
"message": "configmaps [app-data] found as specified in namespace default",
"timestamp": "2023-07-19T18:25:41.523Z",
"metadata": {}
}
}
{
"id": 1,
"cluster": {
"name": "cluster2",
"cluster_id": "415ce234-8dee-4cab-b99b-1f8f29dff461"
},
"parent_policy": {
"id": 2,
"name": "etcd-encryption",
"namespace": "policies",
"catageories": ["CM Configuration Management"],
"controls": ["CM-2 Baseline Configuration"],
"standards": ["NIST SP 800-53"]
},
"policy": {
"apiGroup": "policy.open-cluster-management.io",
"id": 4,
"kind": "ConfigurationPolicy",
"name": "etcd-encryption",
"namespace": "",
"spec": {}
},
"event": {
"compliance": "Compliant",
"message": "configmaps [app-data] found as specified in namespace default",
"timestamp": "2023-07-19T18:25:41.523Z",
"metadata": {}
}
}1.24.2.3. 生成电子表格
/api/v1/reports/compliance-events
您可以生成以逗号分隔的值(CSV)电子表格,用于审核和故障排除。它输出相同的查询参数,并接受与 /api/v1/compliance-events API 端点相同的查询参数。默认情况下,没有设置 per_page 限制,没有设置 per_page 查询参数的最大值。所有 CSV 标头与 /api/v1/compliance-events API 端点相同,并下划线分隔 JSON 对象。例如,事件时间戳带有 event_timestamp 标头。
1.24.3. 认证和授权
策略合规历史记录 API 使用 Red Hat Advanced Cluster Management hub 集群使用的 OpenShift 实例来身份验证和授权。您必须在 HTTPS 请求的 Authorization 标头中提供您的 OpenShift 令牌。
要查找您的令牌,请运行以下命令:
oc whoami --show-token
oc whoami --show-token1.24.3.1. 查看合规性事件
要查看受管集群的合规性事件,您需要访问在 Red Hat Advanced Cluster Management hub 集群中完成 ManagedCluster 对象的 get 动词。例如,要查看 local-cluster 集群的合规性事件,您可以使用 open-cluster-management:view:local-cluster ClusterRole 或创建自己的资源,如下例所示:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: local-cluster-view rules: - apiGroups: - cluster.open-cluster-management.io resources: - managedclusters resourceNames: - local-cluster verbs: - get
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: local-cluster-view
rules:
- apiGroups:
- cluster.open-cluster-management.io
resources:
- managedclusters
resourceNames:
- local-cluster
verbs:
- get
要验证您对特定受管集群的访问,请使用 oc auth can-i 命令。例如,要检查您是否可以访问 local-cluster 受管集群,请运行以下命令:
oc auth can-i get managedclusters.cluster.open-cluster-management.io/local-cluster
oc auth can-i get managedclusters.cluster.open-cluster-management.io/local-cluster1.24.3.2. 记录合规性事件
在相应受管集群命名空间中的 policies.policy.open-cluster-management.io/status 资源中具有 patch 动词 访问权限的用户或服务帐户 可以访问记录策略合规事件。受管集群中的 governance-policy-framework pod 使用 Red Hat Advanced Cluster Management hub 集群上对应的受管集群命名空间中的 open-cluster-management-compliance-history-api-recorder 服务帐户来记录合规事件。每个服务帐户都有 open-cluster-management:compliance-history-api-recorder ClusterRole 绑定到受管集群命名空间。限制 user 和 service account patch 动词对 策略状态 的访问,以确保存储在策略合规历史记录 API 中的数据的可信度。
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}