Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stage 1 orchestrator rfc #2

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
with:
go-version: '^1.13.1'
go-version: '1.15.x'
- uses: actions/setup-python@v2
with:
python-version: '3.x'
Expand Down
193 changes: 180 additions & 13 deletions rfcs/text/0012-orchestrator-field-set.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# 0012: Orchestrator field set creation

- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
- Stage: **1 (draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
- Date: **2021-01-11** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->

There is currently no ECS field set for container orchestration engines. There is an example of an ECS
Expand All @@ -19,9 +19,79 @@ add a new schema rather than change existing material.

## Fields

<!--
Stage 1: Describe at a high level how this change affects fields. Which fieldsets will be impacted? How many fields overall? Are we primarily adding fields, removing fields, or changing existing fields? The goal here is to understand the fundamental technical implications and likely extent of these changes. ~2-5 sentences.
-->
The proposed change adds six fields, as described below:

```
---
- name: orchestrator
title: Orchestrator
group: 2
short: Fields relevant to container orchestrators.
description: >
Fields that describe the resources which container orchestrators manage or
act upon.
type: group
fields:
- name: cluster
level: extended
type: object
description: >
Orchestrator cluster details.

- name: cluster.name
level: extended
type: keyword
description: >
Name of the cluster.

- name: cluster.url
level: extended
type: keyword
description: >
URL of the cluster.

- name: type
level: extended
type: keyword
example: kubernetes
description: >
Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).

- name: organization
level: extended
type: keyword
example: elastic
description: >
Organization affected by the event (for multi-tenant orchestrator setups).

- name: namespace
level: extended
type: keyword
example: kube-system
description: >
Namespace in which the action is taking place.

- name: resource.name
level: extended
type: keyword
example: test-pod-cdcws
description: >
Name of the resource being acted upon.

- name: resource.type
level: extended
type: keyword
example: service
description: >
Type of resource being acted upon.

- name: api_version
level: extended
example: v1beta1
type: keyword
description: >
API version being used to carry out the action
```

<!--
Stage 2: Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting.
Expand All @@ -33,15 +103,99 @@ Stage 3: Add or update all remaining field definitions. The list should now be e

## Usage

<!--
Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
-->
The `orchestrator` field set will be used to capture typical concepts employed
by container orchestrators to manage resources. The key intent of this is to create
a consistent method by which audit logs from container orchestrators can
be compared. For example, this would allow the creation of open source detection
rulesets for suspicious Kubernetes events based on audit logs, which can be easily
transferred from one cluster to another without depending on the specifics of
parsing implementations.

This might also have use in performance and monitoring tooling which exists around
container orchestrators, allowing for the definition of shareable dashboards and
alert definitions.

## Source data

<!--
Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
-->
Examples of source data include:

- [Kubernetes audit logs][1]
- [Kubernetes node logs][2]
- [HashiCorp Nomad audit logs][3]
- [Falco alert logs][4]

### Kubernetes audit log

```json
{
"_index": "filebeat-7.7.0-2020.12.31-000001",
"_type": "_doc",
"_id": "KbmPuXYBaTdcl42uyGfl",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-12-31T16:09:35.735Z",
"log": {
"offset": 7248566,
"file": {
"path": "/tmp/host-logs/kube-apiserver-audit.log"
}
},
"cloud.provider": "gcp",
"event.action": "create",
"orchestrator.cluster": {
"name": "test-dev",
},
"orchestrator.type": "kubernetes",
"orchestrator.subresource": "attach",
"orchestrator.resource.type": "pod",
"orchestrator.namespace": "default",
"orchestrator.resource.name": "test",
"orchestrator.api_version": "v1",
"user.name": "system:serviceaccount:test"
}
}
```

### Hashicorp Nomad audit log

```json
{
"created_at": "2020-03-24T13:09:35.704224536-04:00",
"event_type": "audit",
"orchestrator.api_version": "v1",
"orchestrator.namespace": "default",
"orchestrator.resource.type": "nodes",
"orchestrator.type": "nomad",
"payload": {
"id": "8b826146-b264-af15-6526-29cb905145aa",
"stage": "OperationComplete",
"type": "audit",
"timestamp": "2020-03-24T13:09:35.703865005-04:00",
"version": 1,
"auth": {
"accessor_id": "a162f017-bcf7-900c-e22a-a2a8cbbcef53",
"name": "Bootstrap Token",
"global": true,
"create_time": "2020-03-24T17:08:35.086591881Z"
},
"request": {
"id": "02f0ac35-c7e8-0871-5a58-ee9dbc0a70ea",
"event.action": "GET",
"request_meta": {
"remote_address": "127.0.0.1:33648",
"user_agent": "Go-http-client/1.1"
},
"node_meta": {
"ip": "127.0.0.1:4646"
}
},
"response": {
"status_code": 200
}
}
}
```

<!--
Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting.
Expand All @@ -63,9 +217,18 @@ The goal here is to research and understand the impact of these changes on users

## Concerns

<!--
Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
-->
### Kubernetes-specific logic

The key concern here is the dominance of one particular container orchestration
system - Kubernetes - over the rest of the ecosystem. Other orchestrators include
options like HashiCorp Nomad, Docker Swarm, and Apache Mesos, but it is unclear to
what extent the alternatives share the same logical primitives as Kubernetes. An
attempt has been made to ensure that the proposed field set is as generic and flexible
as possible, however it would be useful to consider in some detail whether the
preference is to keep the field set as generic as possible, or large enough to
cover all the logical primitives of popular orchestrators. Input from contributors
who have experience with the various alternative orchestration providers would be
particularly valuable.

<!--
Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
Expand Down Expand Up @@ -101,6 +264,7 @@ The following are the people that consulted on the contents of this RFC.
<!-- An RFC should link to the PRs for each of it stage advancements. -->

* Stage 0: https://github.com/elastic/ecs/pull/1209
* Stage 1: https://github.com/elastic/ecs/pull/1230

<!--
* Stage 1: https://github.com/elastic/ecs/pull/NNN
Expand All @@ -109,3 +273,6 @@ The following are the people that consulted on the contents of this RFC.

[0]: https://github.com/elastic/ecs/blob/master/use-cases/kubernetes.yml
[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
[2]: https://kubernetes.io/docs/concepts/cluster-administration/logging/#logging-at-the-node-level
[3]: https://www.hashicorp.com/blog/hashicorp-nomad-enterprise-audit-logging
[4]: https://falco.org/docs/alerts/#file-output