C1: review CC observability-stack-audit (extend to k3s) (#353)

## Summary - Recurring compensating-control review (oldest stale control: 42 days). - Verified the control is in effect on both clusters: - `alloy-k8s` on minikube-indri — Synced/Healthy, DaemonSet 1/1 ready - `alloy-ringtail` on k3s-ringtail — Synced/Healthy - `loki` (`monitoring/loki-0`) — Running, receiving logs (52 restarts in 18h is worth watching but not blocking review) - Generalized the description: previously named only minikube, but the indri→ringtail migration means we now operate two clusters and both rely on this control. - Added a follow-up note: enabling native apiserver audit logging is far more tractable on k3s (`--audit-log-path` / `--audit-policy-file`) than it was on minikube — worth revisiting once the migration concludes. ## Test plan - [x] `prek` hooks pass - [x] Verified alloy + loki status via `kubectl --context=minikube-indri` and `argocd app get` ## Notes - No deployment changes. Reviewed-on: #353
2026-05-11 16:10:39 -07:00 · 2026-05-11 16:10:39 -07:00 · f83be3bf37
commit f83be3bf37
parent 40d9a1ef9e
2 changed files with 9 additions and 4 deletions
--- a/compensating-controls.yaml
+++ b/compensating-controls.yaml
@ -196,11 +196,15 @@ controls:
    description: >-
      Alloy collects pod logs and ships them to Loki, providing an
      audit trail for cluster activity. Compensates for missing
-      apiserver audit logging which minikube does not configure.
+      apiserver audit logging which neither minikube (indri) nor
+      k3s (ringtail) configures by default.
    created: 2026-03-30
-    last-reviewed: 2026-03-30
+    last-reviewed: 2026-05-11
    notes: >-
-      Verify Alloy DaemonSet is running and Loki is receiving logs.
+      Verify Alloy DaemonSet is running on each cluster (alloy-k8s on
+      minikube, alloy-ringtail on k3s) and Loki is receiving logs.
      Note this is weaker than native apiserver audit logs — it
      captures pod stdout/stderr, not API request-level auditing.
-      Consider enabling minikube audit logging if supported.
+      Consider enabling apiserver audit logging on k3s post-migration
+      (`--audit-log-path` / `--audit-policy-file`) — minikube made it
+      hard, k3s makes it straightforward.
--- a/docs/changelog.d/review-cc-observability-stack-audit-2026-05-11.infra.md
+++ b/docs/changelog.d/review-cc-observability-stack-audit-2026-05-11.infra.md
@ -0,0 +1 @@
+Reviewed compensating control `observability-stack-audit`. Updated description to cover ringtail's k3s as well as indri's minikube; both Alloy DaemonSets and Loki are healthy.
				`@ -0,0 +1 @@`
				Reviewed compensating control `observability-stack-audit`. Updated description to cover ringtail's k3s as well as indri's minikube; both Alloy DaemonSets and Loki are healthy.