From 5a4352657d78e1c67aeb4e14b679a4e5b72a37ba Mon Sep 17 00:00:00 2001 From: rongzhang Date: Tue, 21 Aug 2018 15:04:04 +0800 Subject: [PATCH] Fix install audit failed 1.fix audit log not write 2.fix Parameter not recognized 3.delete kubedm futuregates auditing and use apiServerExtraArgs --- roles/kubernetes/master/defaults/main.yml | 2 +- .../master/templates/apiserver-audit-policy.yaml.j2 | 2 +- .../master/templates/kubeadm-config.v1alpha2.yaml.j2 | 12 ++++-------- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml index bcf780d7e..eeb12b601 100644 --- a/roles/kubernetes/master/defaults/main.yml +++ b/roles/kubernetes/master/defaults/main.yml @@ -37,7 +37,7 @@ audit_log_maxsize: 100 # policy file audit_policy_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml" # custom audit policy rules (to replace the default ones) -# audit_policy_custom_rules: > +# audit_policy_custom_rules: | # - level: None # users: [] # verbs: [] diff --git a/roles/kubernetes/master/templates/apiserver-audit-policy.yaml.j2 b/roles/kubernetes/master/templates/apiserver-audit-policy.yaml.j2 index 6f304a0da..861ffda71 100644 --- a/roles/kubernetes/master/templates/apiserver-audit-policy.yaml.j2 +++ b/roles/kubernetes/master/templates/apiserver-audit-policy.yaml.j2 @@ -1,7 +1,7 @@ apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: -{% if audit_policy_custom_rules is defined and audit_policy_custom_rules != "" -%} +{% if audit_policy_custom_rules is defined and audit_policy_custom_rules != "" %} {{ audit_policy_custom_rules | indent(2, true) }} {% else %} # The following requests were manually identified as high-volume and low-risk, diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 index 7a629cb30..68c67db59 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 @@ -80,9 +80,9 @@ apiServerExtraArgs: allow-privileged: "true" {% if kubernetes_audit %} audit-log-path: {{ audit_log_path }} - audit-log-maxage: {{ audit_log_maxage }} - audit-log-maxbackup: {{ audit_log_maxbackups }} - audit-log-maxsize: {{ audit_log_maxsize }} + audit-log-maxage: "{{ audit_log_maxage }}" + audit-log-maxbackup: "{{ audit_log_maxbackups }}" + audit-log-maxsize: "{{ audit_log_maxsize }}" audit-policy-file: {{ audit_policy_file }} {% endif %} {% for key in kube_kubeadm_apiserver_extra_args %} @@ -107,7 +107,7 @@ apiServerExtraVolumes: - name: {{ audit_log_name }} hostPath: {{ audit_log_hostpath }} mountPath: {{ audit_log_mountpath }} - Writable: true + writable: true {% endif %} {% endif %} {% if kube_feature_gates %} @@ -135,7 +135,3 @@ nodeRegistration: taints: - effect: NoSchedule key: node-role.kubernetes.io/master -{% if kubernetes_audit %} -featureGates: - Auditing: true -{% endif %}