Merge pull request #3117 from mirwan/audit_usecases

Audit support improvement
This commit is contained in:
Rong Zhang 2018-08-19 01:13:22 +08:00 committed by GitHub
commit 0df969ad19
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 16 additions and 15 deletions

View file

@ -26,6 +26,7 @@ force_etcd3: false
# audit support
kubernetes_audit: false
# audit_log_path must not be set to "-" with kubeadm as it only handles a logfile named audit.log
audit_log_path: /var/log/audit/kube-apiserver-audit.log
# num days
audit_log_maxage: 30
@ -39,12 +40,11 @@ audit_policy_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.ya
# audit log hostpath
audit_log_name: audit-logs
audit_log_hostpath: /var/log/kubernetes/audit
audit_log_mountpath: /var/log/audit
audit_log_writable: true
audit_log_mountpath: "{{ audit_log_path | dirname }}"
# audit policy hostpath
audit_policy_name: audit-policy
audit_policy_hostpath: /etc/kubernetes/audit-policy
audit_policy_hostpath: "{{ audit_policy_file | dirname }}"
audit_policy_mountpath: "{{ audit_policy_hostpath }}"
# Limits for kube components

View file

@ -66,13 +66,15 @@
changed_when: false
- name: Create audit-policy directory
file: path={{ kube_config_dir }}/audit-policy state=directory
file:
path: "{{ audit_policy_file | dirname }}"
state: directory
when: kubernetes_audit|default(false)
- name: Write api audit policy yaml
template:
src: apiserver-audit-policy.yaml.j2
dest: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
dest: "{{ audit_policy_file }}"
when: kubernetes_audit|default(false)
- name: gets the kubeadm version

View file

@ -1,6 +1,8 @@
---
- name: Create audit-policy directory
file: path={{ kube_config_dir }}/audit-policy state=directory
file:
path: "{{ audit_policy_file | dirname }}"
state: directory
tags:
- kube-apiserver
when: kubernetes_audit|default(false)
@ -8,7 +10,7 @@
- name: Write api audit policy yaml
template:
src: apiserver-audit-policy.yaml.j2
dest: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
dest: "{{ audit_policy_file }}"
notify: Master | Restart apiserver
tags:
- kube-apiserver

View file

@ -14,7 +14,7 @@ etcd:
keyFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}-key.pem
{% if kubernetes_audit %}
auditPolicy:
logDir: {{ audit_log_path }}
logDir: {{ audit_log_hostpath }}
logMaxAge: {{ audit_log_maxage }}
path: {{ audit_policy_file }}
{% endif %}
@ -88,12 +88,6 @@ controllerManagerExtraArgs:
node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
node-monitor-period: {{ kube_controller_node_monitor_period }}
pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
{% if kubernetes_audit %}
apiServerExtraVolumes:
- name: {{ audit_policy_name }}
hostPath: {{ audit_policy_hostpath }}
mountPath: {{ audit_policy_mountpath }}
{% endif %}
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
controllerManagerExtraVolumes:
- name: openstackcacert

View file

@ -193,12 +193,13 @@ spec:
readOnly: true
{% endif %}
{% if kubernetes_audit %}
{% if audit_log_path != "-" %}
- mountPath: {{ audit_log_mountpath }}
name: {{ audit_log_name }}
Writable: true
{% endif %}
- mountPath: {{ audit_policy_mountpath }}
name: {{ audit_policy_name }}
Writable: true
{% endif %}
volumes:
- hostPath:
@ -221,9 +222,11 @@ spec:
name: rhel-ca-bundle
{% endif %}
{% if kubernetes_audit %}
{% if audit_log_path != "-" %}
- hostPath:
path: {{ audit_log_hostpath }}
name: {{ audit_log_name }}
{% endif %}
- hostPath:
path: {{ audit_policy_hostpath }}
name: {{ audit_policy_name }}