From 28c722e88da65c90f40c54bdae55af907e833ab1 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Mon, 11 May 2026 15:10:56 -0700 Subject: [PATCH] C1: review CC observability-stack-audit (extend to k3s) Recurring compensating-control review. Verified: - alloy-k8s: Synced/Healthy on minikube-indri (DaemonSet 1/1 ready) - alloy-ringtail: Synced/Healthy on k3s-ringtail - loki (monitoring/loki-0): Running, receiving logs The previous description named only minikube, but BlumeOps now runs two clusters with the migration to ringtail in progress. Generalized the description and notes to cover both, and added a follow-up note that enabling native apiserver audit logging is much more tractable on k3s than it was on minikube. Co-Authored-By: Claude Opus 4.7 (1M context) --- compensating-controls.yaml | 12 ++++++++---- ...-cc-observability-stack-audit-2026-05-11.infra.md | 1 + 2 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 docs/changelog.d/review-cc-observability-stack-audit-2026-05-11.infra.md diff --git a/compensating-controls.yaml b/compensating-controls.yaml index 658c99d..01b3cfd 100644 --- a/compensating-controls.yaml +++ b/compensating-controls.yaml @@ -196,11 +196,15 @@ controls: description: >- Alloy collects pod logs and ships them to Loki, providing an audit trail for cluster activity. Compensates for missing - apiserver audit logging which minikube does not configure. + apiserver audit logging which neither minikube (indri) nor + k3s (ringtail) configures by default. created: 2026-03-30 - last-reviewed: 2026-03-30 + last-reviewed: 2026-05-11 notes: >- - Verify Alloy DaemonSet is running and Loki is receiving logs. + Verify Alloy DaemonSet is running on each cluster (alloy-k8s on + minikube, alloy-ringtail on k3s) and Loki is receiving logs. Note this is weaker than native apiserver audit logs — it captures pod stdout/stderr, not API request-level auditing. - Consider enabling minikube audit logging if supported. + Consider enabling apiserver audit logging on k3s post-migration + (`--audit-log-path` / `--audit-policy-file`) — minikube made it + hard, k3s makes it straightforward. diff --git a/docs/changelog.d/review-cc-observability-stack-audit-2026-05-11.infra.md b/docs/changelog.d/review-cc-observability-stack-audit-2026-05-11.infra.md new file mode 100644 index 0000000..8100c6a --- /dev/null +++ b/docs/changelog.d/review-cc-observability-stack-audit-2026-05-11.infra.md @@ -0,0 +1 @@ +Reviewed compensating control `observability-stack-audit`. Updated description to cover ringtail's k3s as well as indri's minikube; both Alloy DaemonSets and Loki are healthy.