Merge pull request #3117 from mirwan/audit_usecases
Audit support improvement
This commit is contained in:
commit
0df969ad19
5 changed files with 16 additions and 15 deletions
|
@ -26,6 +26,7 @@ force_etcd3: false
|
|||
|
||||
# audit support
|
||||
kubernetes_audit: false
|
||||
# audit_log_path must not be set to "-" with kubeadm as it only handles a logfile named audit.log
|
||||
audit_log_path: /var/log/audit/kube-apiserver-audit.log
|
||||
# num days
|
||||
audit_log_maxage: 30
|
||||
|
@ -39,12 +40,11 @@ audit_policy_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.ya
|
|||
# audit log hostpath
|
||||
audit_log_name: audit-logs
|
||||
audit_log_hostpath: /var/log/kubernetes/audit
|
||||
audit_log_mountpath: /var/log/audit
|
||||
audit_log_writable: true
|
||||
audit_log_mountpath: "{{ audit_log_path | dirname }}"
|
||||
|
||||
# audit policy hostpath
|
||||
audit_policy_name: audit-policy
|
||||
audit_policy_hostpath: /etc/kubernetes/audit-policy
|
||||
audit_policy_hostpath: "{{ audit_policy_file | dirname }}"
|
||||
audit_policy_mountpath: "{{ audit_policy_hostpath }}"
|
||||
|
||||
# Limits for kube components
|
||||
|
|
|
@ -66,13 +66,15 @@
|
|||
changed_when: false
|
||||
|
||||
- name: Create audit-policy directory
|
||||
file: path={{ kube_config_dir }}/audit-policy state=directory
|
||||
file:
|
||||
path: "{{ audit_policy_file | dirname }}"
|
||||
state: directory
|
||||
when: kubernetes_audit|default(false)
|
||||
|
||||
- name: Write api audit policy yaml
|
||||
template:
|
||||
src: apiserver-audit-policy.yaml.j2
|
||||
dest: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
|
||||
dest: "{{ audit_policy_file }}"
|
||||
when: kubernetes_audit|default(false)
|
||||
|
||||
- name: gets the kubeadm version
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
---
|
||||
- name: Create audit-policy directory
|
||||
file: path={{ kube_config_dir }}/audit-policy state=directory
|
||||
file:
|
||||
path: "{{ audit_policy_file | dirname }}"
|
||||
state: directory
|
||||
tags:
|
||||
- kube-apiserver
|
||||
when: kubernetes_audit|default(false)
|
||||
|
@ -8,7 +10,7 @@
|
|||
- name: Write api audit policy yaml
|
||||
template:
|
||||
src: apiserver-audit-policy.yaml.j2
|
||||
dest: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
|
||||
dest: "{{ audit_policy_file }}"
|
||||
notify: Master | Restart apiserver
|
||||
tags:
|
||||
- kube-apiserver
|
||||
|
|
|
@ -14,7 +14,7 @@ etcd:
|
|||
keyFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}-key.pem
|
||||
{% if kubernetes_audit %}
|
||||
auditPolicy:
|
||||
logDir: {{ audit_log_path }}
|
||||
logDir: {{ audit_log_hostpath }}
|
||||
logMaxAge: {{ audit_log_maxage }}
|
||||
path: {{ audit_policy_file }}
|
||||
{% endif %}
|
||||
|
@ -88,12 +88,6 @@ controllerManagerExtraArgs:
|
|||
node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
|
||||
node-monitor-period: {{ kube_controller_node_monitor_period }}
|
||||
pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
|
||||
{% if kubernetes_audit %}
|
||||
apiServerExtraVolumes:
|
||||
- name: {{ audit_policy_name }}
|
||||
hostPath: {{ audit_policy_hostpath }}
|
||||
mountPath: {{ audit_policy_mountpath }}
|
||||
{% endif %}
|
||||
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
|
||||
controllerManagerExtraVolumes:
|
||||
- name: openstackcacert
|
||||
|
|
|
@ -193,12 +193,13 @@ spec:
|
|||
readOnly: true
|
||||
{% endif %}
|
||||
{% if kubernetes_audit %}
|
||||
{% if audit_log_path != "-" %}
|
||||
- mountPath: {{ audit_log_mountpath }}
|
||||
name: {{ audit_log_name }}
|
||||
Writable: true
|
||||
{% endif %}
|
||||
- mountPath: {{ audit_policy_mountpath }}
|
||||
name: {{ audit_policy_name }}
|
||||
Writable: true
|
||||
{% endif %}
|
||||
volumes:
|
||||
- hostPath:
|
||||
|
@ -221,9 +222,11 @@ spec:
|
|||
name: rhel-ca-bundle
|
||||
{% endif %}
|
||||
{% if kubernetes_audit %}
|
||||
{% if audit_log_path != "-" %}
|
||||
- hostPath:
|
||||
path: {{ audit_log_hostpath }}
|
||||
name: {{ audit_log_name }}
|
||||
{% endif %}
|
||||
- hostPath:
|
||||
path: {{ audit_policy_hostpath }}
|
||||
name: {{ audit_policy_name }}
|
||||
|
|
Loading…
Reference in a new issue