As a follow-up to the discussion on
dynamic audit at the
last sig-auth meeting, we (the SIG Auth leads) have decided to remove the existing alpha implementation since it does not have a clear path to GA with broad enablement, and has not made any meaningful progress in the last 1.5 years. Two particular areas of concern were:
- API-controlled "dynamic" policy was identified as a required part of this feature, but we have not been able to reach agreement on a design.
- Performance/scalability issues were not addressed.
Since it is possible to build features serving the same use cases using the existing audit webhook support in the kube-apiserver, we recommend prototyping and releasing dynamic audit features outside of core Kubernetes (as an example, see the
dynamic audit proxy proposal). If we have at least two contributors interested in prototyping this approach, we would endorse a SIG Auth sponsored kubernetes-sigs repo.
Thank you,
Tim Allclair, on behalf of the SIG Auth leads.