From f83be3bf370105b6ad896353b117da34b78285c1 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Mon, 11 May 2026 16:10:39 -0700 Subject: [PATCH] C1: review CC observability-stack-audit (extend to k3s) (#353) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Recurring compensating-control review (oldest stale control: 42 days). - Verified the control is in effect on both clusters: - `alloy-k8s` on minikube-indri — Synced/Healthy, DaemonSet 1/1 ready - `alloy-ringtail` on k3s-ringtail — Synced/Healthy - `loki` (`monitoring/loki-0`) — Running, receiving logs (52 restarts in 18h is worth watching but not blocking review) - Generalized the description: previously named only minikube, but the indri→ringtail migration means we now operate two clusters and both rely on this control. - Added a follow-up note: enabling native apiserver audit logging is far more tractable on k3s (`--audit-log-path` / `--audit-policy-file`) than it was on minikube — worth revisiting once the migration concludes. ## Test plan - [x] `prek` hooks pass - [x] Verified alloy + loki status via `kubectl --context=minikube-indri` and `argocd app get` ## Notes - No deployment changes. Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/353 --- compensating-controls.yaml | 12 ++++++++---- ...-cc-observability-stack-audit-2026-05-11.infra.md | 1 + 2 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 docs/changelog.d/review-cc-observability-stack-audit-2026-05-11.infra.md diff --git a/compensating-controls.yaml b/compensating-controls.yaml index 658c99d..01b3cfd 100644 --- a/compensating-controls.yaml +++ b/compensating-controls.yaml @@ -196,11 +196,15 @@ controls: description: >- Alloy collects pod logs and ships them to Loki, providing an audit trail for cluster activity. Compensates for missing - apiserver audit logging which minikube does not configure. + apiserver audit logging which neither minikube (indri) nor + k3s (ringtail) configures by default. created: 2026-03-30 - last-reviewed: 2026-03-30 + last-reviewed: 2026-05-11 notes: >- - Verify Alloy DaemonSet is running and Loki is receiving logs. + Verify Alloy DaemonSet is running on each cluster (alloy-k8s on + minikube, alloy-ringtail on k3s) and Loki is receiving logs. Note this is weaker than native apiserver audit logs — it captures pod stdout/stderr, not API request-level auditing. - Consider enabling minikube audit logging if supported. + Consider enabling apiserver audit logging on k3s post-migration + (`--audit-log-path` / `--audit-policy-file`) — minikube made it + hard, k3s makes it straightforward. diff --git a/docs/changelog.d/review-cc-observability-stack-audit-2026-05-11.infra.md b/docs/changelog.d/review-cc-observability-stack-audit-2026-05-11.infra.md new file mode 100644 index 0000000..8100c6a --- /dev/null +++ b/docs/changelog.d/review-cc-observability-stack-audit-2026-05-11.infra.md @@ -0,0 +1 @@ +Reviewed compensating control `observability-stack-audit`. Updated description to cover ringtail's k3s as well as indri's minikube; both Alloy DaemonSets and Loki are healthy.