rke2 Enable audit logs of the downstream cluster

本文永久链接: https://www.xtplayer.cn/rke2/rke2-enable-audit-logs-of-the-downstream-cluster/

本文以自定义 rke2 集群为例，编辑 rke2 集群的 yaml，在 machineGlobalConfig 层级下添加 audit-policy-file 配置。以下为设置好的 rke2 集群 yaml 的部分内容

# 默认审计日志输出配置
spec:
......
  rkeConfig:
......
    machineGlobalConfig:
      audit-policy-file: |
        apiVersion: audit.k8s.io/v1
        kind: Policy
        rules:
          - level: RequestResponse
            resources:
              - group: ""
                resources:
                  - pods
......
      kube-apiserver-arg:
        - audit-log-maxage=30
        - audit-log-maxbackup=30
        - audit-log-maxsize=100
      kube-scheduler-arg: []
......

以上配置设置好之后，audit-policy-file 配置会自动写入 server 节点的 /var/lib/rancher/rke2/etc/config-files/audit-policy-file 配置文件，并且这个文件会自动挂载到 apiserver pod 中。

执行 source <(crictl completion bash); 添加自动补全，方便输入 crictl 命令。（可选）

执行以下命令可以查询到 audit-log-path 默认路径为 /var/lib/rancher/rke2/server/logs/audit.log

export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
crictl inspect $(crictl ps | grep kube-apiserver | awk '{print $1}') | grep audit-log-path
---
      "args": [
        "--admission-control-config-file=/etc/rancher/rke2/rke2-pss.yaml",
        "--audit-policy-file=/var/lib/rancher/rke2/etc/config-files/audit-policy-file",
        "--audit-log-maxage=30",
        "--audit-log-maxbackup=10",
        "--audit-log-maxsize=100",
        "--audit-log-path=/var/lib/rancher/rke2/server/logs/audit.log",
        "--allow-privileged=true",
        "--anonymous-auth=false",
        "--api-audiences=https://kubernetes.default.svc.cluster.local,rke2",
        "--audit-log-maxage=30",
        "--audit-log-maxbackup=30",
        "--audit-log-maxsize=100",
        "--authorization-mode=Node,RBAC",
        "--bind-address=0.0.0.0",
        "--cert-dir=/var/lib/rancher/rke2/server/tls/temporary-certs",
        "--client-ca-file=/var/lib/rancher/rke2/server/tls/client-ca.crt",
        "--egress-selector-config-file=/var/lib/rancher/rke2/server/etc/egress-selector-config.yaml",
        "--enable-admission-plugins=NodeRestriction",
        "--enable-aggregator-routing=true",

如果要限制日志大小及数量，可以在配置添加 kube-apiserver-arg，然后指定相关参数，https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#log-backend

如果要自定义审计日志文件路径，需要在 kube-apiserver-arg 中添加 audit-log-path 参数指定日志输出路径。然后添加 kube-apiserver-extra-mount参数将主机目录挂载到 apiserver pod 中以持久数据。

# 自定义审计日志输出路径配置
spec:
......
  rkeConfig:
......
    machineGlobalConfig:
      audit-policy-file: |
        apiVersion: audit.k8s.io/v1
        kind: Policy
        rules:
          - level: RequestResponse
            resources:
              - group: ""
                resources:
                  - pods
......
      kube-apiserver-arg:
        - audit-log-path=/var/log/kubernetes/audit/audit.json
        - audit-log-maxage=30
        - audit-log-maxbackup=30
        - audit-log-maxsize=100
        - audit-log-format=json
      kube-scheduler-arg: []
      kube-apiserver-extra-mount:
          - /var/log/kubernetes/audit/:/var/log/kubernetes/audit/
......