check history of OpenShift / Kubernetes deployments

Question

We have constantly issues with our OpenShift Deployments. Credentials are missing suddenly (or suddenly we have the wrong credentials configured), deployments are scaled up and down suddenly etc.

Nobody of the team is aware of anything he did. However I am quite sure that this happens unknowingly from my recent experiences.

Is there any way to check the history of modifications to a resource? E.g. the last "oc/kubectl apply -f" - optimally with the contents that were modified and the user?

Answer 1

For a one off issue, you can also look at the replicaSets present in that namespace and examine them for differences. Depending on how much history you keep it may have already been lost, if it was present to begin with.

Try:

kubectl get rs -n my-namespace

Or, dealing with DeploymentConfigs, replicaControllers:

oc get rc -n my-namespace

For credentials, assuming those are in a secret and not the deployment itself, you wouldn't have that history without going to audit logs.

Answer 2

K8s offers only scant functionality regarding tracking changes. Most prominently, I would look at kubectl rollout history for Deployments, Daemonsets and StatefulSets. Still, this will only tell you when and what was changes, but not who did it.

Openshift does not seem to offer much on top, since audit logging is cumbersome to configure and analyze.

With a problem like yours, the best remedy I see would be to revoke direct production access to K8s by the team and mandate changes to be rolled out via pipeline. That way you can use Git to track who did what.

Answer 3

You need to configure and enable audit log, checkout the oc manual here.

In addition to logging metadata for all requests, logs request bodies for every read and write request to the API servers...