minor variable fix and reuse + handle auditlog redirected to stdout

This commit is contained in:
Erwan Miran 2018-08-16 12:51:09 +02:00
parent 364ab2a6b7
commit 58d4d65fab
5 changed files with 19 additions and 9 deletions

View file

@ -26,6 +26,7 @@ force_etcd3: false
# audit support
kubernetes_audit: false
# audit_log_path must not be set to "-" with kubeadm as it only handles a logfile named audit.log
audit_log_path: /var/log/audit/kube-apiserver-audit.log
# num days
audit_log_maxage: 30
@ -39,12 +40,11 @@ audit_policy_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.ya
# audit log hostpath
audit_log_name: audit-logs
audit_log_hostpath: /var/log/kubernetes/audit
audit_log_mountpath: /var/log/audit
audit_log_writable: true
audit_log_mountpath: "{{ audit_log_path | dirname }}"
# audit policy hostpath
audit_policy_name: audit-policy
audit_policy_hostpath: /etc/kubernetes/audit-policy
audit_policy_hostpath: "{{ audit_policy_file | dirname }}"
audit_policy_mountpath: "{{ audit_policy_hostpath }}"
# Limits for kube components

View file

@ -66,13 +66,15 @@
changed_when: false
- name: Create audit-policy directory
file: path={{ kube_config_dir }}/audit-policy state=directory
file:
path: "{{ audit_policy_file | dirname }}"
state: directory
when: kubernetes_audit|default(false)
- name: Write api audit policy yaml
template:
src: apiserver-audit-policy.yaml.j2
dest: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
dest: "{{ audit_policy_file }}"
when: kubernetes_audit|default(false)
- name: gets the kubeadm version

View file

@ -1,6 +1,8 @@
---
- name: Create audit-policy directory
file: path={{ kube_config_dir }}/audit-policy state=directory
file:
path: "{{ audit_policy_file | dirname }}"
state: directory
tags:
- kube-apiserver
when: kubernetes_audit|default(false)
@ -8,7 +10,7 @@
- name: Write api audit policy yaml
template:
src: apiserver-audit-policy.yaml.j2
dest: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
dest: "{{ audit_policy_file }}"
notify: Master | Restart apiserver
tags:
- kube-apiserver

View file

@ -14,7 +14,7 @@ etcd:
keyFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}-key.pem
{% if kubernetes_audit %}
auditPolicy:
logDir: {{ audit_log_path }}
logDir: {{ audit_log_mountpath }}
logMaxAge: {{ audit_log_maxage }}
path: {{ audit_policy_file }}
{% endif %}
@ -93,6 +93,9 @@ apiServerExtraVolumes:
- name: {{ audit_policy_name }}
hostPath: {{ audit_policy_hostpath }}
mountPath: {{ audit_policy_mountpath }}
- name: {{ audit_log_name }}
hostPath: {{ audit_log_hostpath }}
mountPath: {{ audit_log_mountpath }}
{% endif %}
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
controllerManagerExtraVolumes:

View file

@ -193,12 +193,13 @@ spec:
readOnly: true
{% endif %}
{% if kubernetes_audit %}
{% if audit_log_path != "-" %}
- mountPath: {{ audit_log_mountpath }}
name: {{ audit_log_name }}
Writable: true
{% endif %}
- mountPath: {{ audit_policy_mountpath }}
name: {{ audit_policy_name }}
Writable: true
{% endif %}
volumes:
- hostPath:
@ -221,9 +222,11 @@ spec:
name: rhel-ca-bundle
{% endif %}
{% if kubernetes_audit %}
{% if audit_log_path != "-" %}
- hostPath:
path: {{ audit_log_hostpath }}
name: {{ audit_log_name }}
{% endif %}
- hostPath:
path: {{ audit_policy_hostpath }}
name: {{ audit_policy_name }}