rke2 Enable audit logs of the downstream cluster
|字数总计: 606|阅读时长: 3分钟|阅读量:
本文永久链接: https://www.xtplayer.cn/rke2/rke2-enable-audit-logs-of-the-downstream-cluster/
本文以自定义 rke2 集群为例,编辑 rke2 集群的 yaml,在 machineGlobalConfig 层级下添加 audit-policy-file 配置。以下为设置好的 rke2 集群 yaml 的部分内容
# 默认审计日志输出配置 spec: ...... rkeConfig: ...... machineGlobalConfig: audit-policy-file: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: "" resources: - pods ...... kube-apiserver-arg: - audit-log-maxage=30 - audit-log-maxbackup=30 - audit-log-maxsize=100 kube-scheduler-arg: [] ......
|
以上配置设置好之后,audit-policy-file 配置会自动写入 server 节点的 /var/lib/rancher/rke2/etc/config-files/audit-policy-file 配置文件,并且这个文件会自动挂载到 apiserver pod 中。
执行 source <(crictl completion bash); 添加自动补全,方便输入 crictl 命令。(可选)
执行以下命令可以查询到 audit-log-path 默认路径为 /var/lib/rancher/rke2/server/logs/audit.log
export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml crictl inspect $(crictl ps | grep kube-apiserver | awk '{print $1}') | grep audit-log-path --- "args": [ "--admission-control-config-file=/etc/rancher/rke2/rke2-pss.yaml", "--audit-policy-file=/var/lib/rancher/rke2/etc/config-files/audit-policy-file", "--audit-log-maxage=30", "--audit-log-maxbackup=10", "--audit-log-maxsize=100", "--audit-log-path=/var/lib/rancher/rke2/server/logs/audit.log", "--allow-privileged=true", "--anonymous-auth=false", "--api-audiences=https://kubernetes.default.svc.cluster.local,rke2", "--audit-log-maxage=30", "--audit-log-maxbackup=30", "--audit-log-maxsize=100", "--authorization-mode=Node,RBAC", "--bind-address=0.0.0.0", "--cert-dir=/var/lib/rancher/rke2/server/tls/temporary-certs", "--client-ca-file=/var/lib/rancher/rke2/server/tls/client-ca.crt", "--egress-selector-config-file=/var/lib/rancher/rke2/server/etc/egress-selector-config.yaml", "--enable-admission-plugins=NodeRestriction", "--enable-aggregator-routing=true",
|
如果要限制日志大小及数量,可以在配置添加 kube-apiserver-arg,然后指定相关参数,https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#log-backend
如果要自定义审计日志文件路径,需要在 kube-apiserver-arg 中添加 audit-log-path 参数指定日志输出路径。然后添加 kube-apiserver-extra-mount参数将主机目录挂载到 apiserver pod 中以持久数据。
# 自定义审计日志输出路径配置 spec: ...... rkeConfig: ...... machineGlobalConfig: audit-policy-file: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: "" resources: - pods ...... kube-apiserver-arg: - audit-log-path=/var/log/kubernetes/audit/audit.json - audit-log-maxage=30 - audit-log-maxbackup=30 - audit-log-maxsize=100 - audit-log-format=json kube-scheduler-arg: [] kube-apiserver-extra-mount: - /var/log/kubernetes/audit/:/var/log/kubernetes/audit/ ......
|