C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #3133 from mirwan/auditlog_to_stdout_w_kubeadm

Browse source 
Audit log to stdout with kubeadm
This commit is contained in:
Andreas Krüger 2018-08-20 10:43:22 +02:00 committed by GitHub
commit c7de737551
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
roles/kubernetes/master/defaults/main.yml
View file

@ -26,7 +26,7 @@ force_etcd3: false
# audit support # audit support
kubernetes_audit: false kubernetes_audit: false
# audit_log_path must not be set to "-" with kubeadm as it only handles a logfile named audit.log # path to audit log file
audit_log_path: /var/log/audit/kube-apiserver-audit.log audit_log_path: /var/log/audit/kube-apiserver-audit.log
# num days # num days
audit_log_maxage: 30 audit_log_maxage: 30

25
roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
View file

@ -12,12 +12,6 @@ etcd:
caFile: {{ kube_config_dir }}/ssl/etcd/ca.pem caFile: {{ kube_config_dir }}/ssl/etcd/ca.pem
certFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}.pem certFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}.pem
keyFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}-key.pem keyFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}-key.pem
{% if kubernetes_audit %}
auditPolicy:
logDir: {{ audit_log_hostpath }}
logMaxAge: {{ audit_log_maxage }}
path: {{ audit_policy_file }}
{% endif %}
networking: networking:
dnsDomain: {{ dns_domain }} dnsDomain: {{ dns_domain }}
serviceSubnet: {{ kube_service_addresses }} serviceSubnet: {{ kube_service_addresses }}
@ -81,6 +75,13 @@ apiServerExtraArgs:
runtime-config: {{ kube_api_runtime_config | join(',') }} runtime-config: {{ kube_api_runtime_config | join(',') }}
{% endif %} {% endif %}
allow-privileged: "true" allow-privileged: "true"
{% if kubernetes_audit %}
audit-log-path: {{ audit_log_path }}
audit-log-maxage: {{ audit_log_maxage }}
audit-log-maxbackup: {{ audit_log_maxbackups }}
audit-log-maxsize: {{ audit_log_maxsize }}
audit-policy-file: {{ audit_policy_file }}
{% endif %}
{% for key in kube_kubeadm_apiserver_extra_args %} {% for key in kube_kubeadm_apiserver_extra_args %}
{{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}" {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
{% endfor %} {% endfor %}
@ -94,6 +95,18 @@ controllerManagerExtraVolumes:
hostPath: "{{ kube_config_dir }}/openstack-cacert.pem" hostPath: "{{ kube_config_dir }}/openstack-cacert.pem"
mountPath: "{{ kube_config_dir }}/openstack-cacert.pem" mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
{% endif %} {% endif %}
{% if kubernetes_audit %}
apiServerExtraVolumes:
- name: {{ audit_policy_name }}
hostPath: {{ audit_policy_hostpath }}
mountPath: {{ audit_policy_mountpath }}
{% if audit_log_path != "-" %}
- name: {{ audit_log_name }}
hostPath: {{ audit_log_hostpath }}
mountPath: {{ audit_log_mountpath }}
Writable: true
{% endif %}
{% endif %}
{% if kube_feature_gates %} {% if kube_feature_gates %}
feature-gates: {{ kube_feature_gates|join(',') }} feature-gates: {{ kube_feature_gates|join(',') }}
{% endif %} {% endif %}