From a7ec0ed587d31d7c136108ffb833a08ec3dd84a3 Mon Sep 17 00:00:00 2001 From: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.com> Date: Mon, 20 Jul 2020 13:32:54 +0500 Subject: [PATCH] add audit webhook support (#6317) * add audit webhook support * use generic name auditsink --- roles/kubernetes/master/defaults/main/main.yml | 10 ++++++++++ roles/kubernetes/master/tasks/kubeadm-setup.yml | 10 ++++++++-- .../templates/apiserver-webhook-config.yaml.j2 | 14 ++++++++++++++ .../templates/kubeadm-config.v1beta2.yaml.j2 | 9 ++++++++- 4 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 roles/kubernetes/master/templates/apiserver-webhook-config.yaml.j2 diff --git a/roles/kubernetes/master/defaults/main/main.yml b/roles/kubernetes/master/defaults/main/main.yml index bf9d1aade..0d861b9ac 100644 --- a/roles/kubernetes/master/defaults/main/main.yml +++ b/roles/kubernetes/master/defaults/main/main.yml @@ -76,6 +76,16 @@ audit_policy_name: audit-policy audit_policy_hostpath: "{{ audit_policy_file | dirname }}" audit_policy_mountpath: "{{ audit_policy_hostpath }}" +# audit webhook support +kubernetes_audit_webhook: false + +# path to audit webhook config file +audit_webhook_config_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-webhook-config.yaml" +audit_webhook_server_url: "https://audit.app" +audit_webhook_mode: batch +audit_webhook_batch_max_size: 100 +audit_webhook_batch_max_wait: 1s + # Limits for kube components kube_controller_memory_limit: 512M kube_controller_cpu_limit: 250m diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml index 920286eab..d739fbc8f 100644 --- a/roles/kubernetes/master/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml @@ -80,13 +80,19 @@ file: path: "{{ audit_policy_file | dirname }}" state: directory - when: kubernetes_audit|default(false) + when: kubernetes_audit|default(false) or kubernetes_audit_webhook|default(false) - name: Write api audit policy yaml template: src: apiserver-audit-policy.yaml.j2 dest: "{{ audit_policy_file }}" - when: kubernetes_audit|default(false) + when: kubernetes_audit|default(false) or kubernetes_audit_webhook|default(false) + +- name: Write api audit webhook config yaml + template: + src: apiserver-audit-webhook-config.yaml.j2 + dest: "{{ audit_webhook_config_file }}" + when: kubernetes_audit_webhook|default(false) # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint. - name: set kubeadm_config_api_fqdn define diff --git a/roles/kubernetes/master/templates/apiserver-webhook-config.yaml.j2 b/roles/kubernetes/master/templates/apiserver-webhook-config.yaml.j2 new file mode 100644 index 000000000..497c247cc --- /dev/null +++ b/roles/kubernetes/master/templates/apiserver-webhook-config.yaml.j2 @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Config +clusters: +- cluster: + server: {{ audit_webhook_server_url }} + name: auditsink +contexts: +- context: + cluster: auditsink + user: "" + name: default-context +current-context: default-context +preferences: {} +users: [] diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2 index d8f8ada7a..e3b6a4d27 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2 @@ -169,6 +169,13 @@ apiServer: audit-log-maxsize: "{{ audit_log_maxsize }}" audit-policy-file: {{ audit_policy_file }} {% endif %} +{% if kubernetes_audit_webhook %} + audit-webhook-config-file: {{ audit_webhook_config_file }} + audit-policy-file: {{ audit_policy_file }} + audit-webhook-mode: {{ audit_webhook_mode }} + audit-webhook-batch-max-size: "{{ audit_webhook_batch_max_size }}" + audit-webhook-batch-max-wait: "{{ audit_webhook_batch_max_wait }}" +{% endif %} {% for key in kube_kubeadm_apiserver_extra_args %} {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}" {% endfor %} @@ -211,7 +218,7 @@ apiServer: hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml {% endif %} -{% if kubernetes_audit %} +{% if kubernetes_audit or kubernetes_audit_webhook %} - name: {{ audit_policy_name }} hostPath: {{ audit_policy_hostpath }} mountPath: {{ audit_policy_mountpath }}