From 166da2ffd05090ea25521300c3f1491e0605fb1c Mon Sep 17 00:00:00 2001 From: Erwan Miran Date: Thu, 13 Sep 2018 17:21:22 +0200 Subject: [PATCH] Document podsecuritypolicy_enabled and kubernetes_audit --- docs/vars.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/vars.md b/docs/vars.md index 41248b036..1a0756169 100644 --- a/docs/vars.md +++ b/docs/vars.md @@ -126,6 +126,17 @@ node_labels: label1_name: label1_value label2_name: label2_value ``` +* *podsecuritypolicy_enabled* - When set to `true`, enables the PodSecurityPolicy admission controller and defines two policies `privileged` (applying to all resources in `kube-system` namespace and kubelet) and `restricted` (applying all other namespaces). + Addons deployed in kube-system namespaces are handled. +* *kubernetes_audit* - When set to `true`, enables Auditing. + The auditing parameters can be tuned via the following variables (which default values are shown below): + * `audit_log_path`: /var/log/audit/kube-apiserver-audit.log + * `audit_log_maxage`: 30 + * `audit_log_maxbackups`: 1 + * `audit_log_maxsize`: 100 + * `audit_policy_file`: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml" + + By default, the `audit_policy_file` contains [default rules](https://github.com/kubernetes-incubator/kubespray/blob/master/roles/kubernetes/master/templates/apiserver-audit-policy.yaml.j2) that can be overriden with the `audit_policy_custom_rules` variable. ##### Custom flags for Kube Components For all kube components, custom flags can be passed in. This allows for edge cases where users need changes to the default deployment that may not be applicable to all deployments. This can be done by providing a list of flags. Example: