eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

C1: review CC observability-stack-audit (extend to k3s) (#353)

Browse source 
## Summary
- Recurring compensating-control review (oldest stale control: 42 days).
- Verified the control is in effect on both clusters:
  - `alloy-k8s` on minikube-indri — Synced/Healthy, DaemonSet 1/1 ready
  - `alloy-ringtail` on k3s-ringtail — Synced/Healthy
  - `loki` (`monitoring/loki-0`) — Running, receiving logs (52 restarts in 18h is worth watching but not blocking review)
- Generalized the description: previously named only minikube, but the indri→ringtail migration means we now operate two clusters and both rely on this control.
- Added a follow-up note: enabling native apiserver audit logging is far more tractable on k3s (`--audit-log-path` / `--audit-policy-file`) than it was on minikube — worth revisiting once the migration concludes.

## Test plan
- [x] `prek` hooks pass
- [x] Verified alloy + loki status via `kubectl --context=minikube-indri` and `argocd app get`

## Notes
- No deployment changes.

Reviewed-on: #353
This commit is contained in:
Erich Blume 2026-05-11 16:10:39 -07:00
commit f83be3bf37
2 changed files with 9 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

12
compensating-controls.yaml
View file

@ -196,11 +196,15 @@ controls:
description: >- description: >-
Alloy collects pod logs and ships them to Loki, providing an Alloy collects pod logs and ships them to Loki, providing an
audit trail for cluster activity. Compensates for missing audit trail for cluster activity. Compensates for missing
apiserver audit logging which minikube does not configure. apiserver audit logging which neither minikube (indri) nor
k3s (ringtail) configures by default.
created: 2026-03-30 created: 2026-03-30
last-reviewed: 2026-03-30 last-reviewed: 2026-05-11
notes: >- notes: >-
Verify Alloy DaemonSet is running and Loki is receiving logs. Verify Alloy DaemonSet is running on each cluster (alloy-k8s on
minikube, alloy-ringtail on k3s) and Loki is receiving logs.
Note this is weaker than native apiserver audit logs — it Note this is weaker than native apiserver audit logs — it
captures pod stdout/stderr, not API request-level auditing. captures pod stdout/stderr, not API request-level auditing.
Consider enabling minikube audit logging if supported. Consider enabling apiserver audit logging on k3s post-migration
(`--audit-log-path` / `--audit-policy-file`) — minikube made it
hard, k3s makes it straightforward.

1
docs/changelog.d/review-cc-observability-stack-audit-2026-05-11.infra.md Normal file
View file

@ -0,0 +1 @@
Reviewed compensating control `observability-stack-audit`. Updated description to cover ringtail's k3s as well as indri's minikube; both Alloy DaemonSets and Loki are healthy.