Enable audit log collection for OpenShift

Procedure

1. Install the Red Hat OpenShift Logging Operator.

   # Create namespace
   oc create namespace openshift-logging
   
   # Create operator group
   cat <<EOF | oc apply -f -
   apiVersion: operators.coreos.com/v1
   kind: OperatorGroup
   metadata:
     name: cluster-logging-og
     namespace: openshift-logging
   spec:
     targetNamespaces:
     - openshift-logging
   EOF
   
   # Install logging operator
   cat <<EOF | oc apply -f -
   apiVersion: operators.coreos.com/v1alpha1
   kind: Subscription
   metadata:
     name: cluster-logging
     namespace: openshift-logging
   spec:
     channel: stable
     name: cluster-logging
     source: redhat-operators
     sourceNamespace: openshift-marketplace
   EOF
   
   # Confirm installation (wait for PHASE: Succeeded)
   oc get csv -n openshift-logging

2. Create the ClusterLogging instance.

   cat <<EOF | oc apply -f -
   apiVersion: logging.openshift.io/v1
   kind: ClusterLogging
   metadata:
     name: instance
     namespace: openshift-logging
   spec:
     collection:
       type: vector
   EOF

3. Create the ClusterLogForwarder.

   cat <<EOF | oc apply -f -
   apiVersion: logging.openshift.io/v1
   kind: ClusterLogForwarder
   metadata:
     name: instance
     namespace: openshift-logging
   spec:
     filters:
     - name: rbac-only
       type: kubeAPIAudit
       kubeAPIAudit:
         rules:
         - level: RequestResponse
           verbs: ["create", "update", "patch", "delete"]
           resources:
           - group: "rbac.authorization.k8s.io"
             resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
         - level: Metadata
           verbs: ["get", "list", "watch"]
           resources:
           - group: "rbac.authorization.k8s.io"
             resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
         - level: Metadata
           verbs: ["create"]
           resources:
           - group: "authorization.k8s.io"
             resources: ["subjectaccessreviews", "selfsubjectaccessreviews", "localsubjectaccessreviews"]
         - level: Metadata
           verbs: ["create", "update", "delete"]
           resources:
           - group: ""
             resources: ["serviceaccounts"]
         - level: None
     outputs:
     - name: trendmicro-audit-collector
       type: http
       url: http://trendmicro-audit-log-collector.trendmicro-system.svc:8030/k8s-audit
       http:
         method: POST
         headers:
           Content-Type: application/json
     pipelines:
     - name: audit-to-trendmicro
       inputRefs:
       - audit
       filterRefs:
       - rbac-only
       outputRefs:
       - trendmicro-audit-collector
   EOF

4. Verify the configuration.

   oc get pods -n openshift-logging
   oc get clusterlogforwarder instance -n openshift-logging -o yaml