From f77aec9411d428dcd7ff585a8d39d92bda5c15f8 Mon Sep 17 00:00:00 2001
From: Peter Idah <Peter.Idah@gmail.com>
Date: Fri, 2 Feb 2018 19:20:35 +0000
Subject: [PATCH 1/2] add default audit policy

---
 .../kubernetesmaster-audit-policy.yaml        | 62 +++++++++++++++++++
 pkg/acsengine/addons.go                       |  5 ++
 pkg/acsengine/defaults-apiserver.go           |  7 ++-
 3 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 parts/k8s/manifests/kubernetesmaster-audit-policy.yaml

diff --git a/parts/k8s/manifests/kubernetesmaster-audit-policy.yaml b/parts/k8s/manifests/kubernetesmaster-audit-policy.yaml
new file mode 100644
index 0000000000..9738ae1a31
--- /dev/null
+++ b/parts/k8s/manifests/kubernetesmaster-audit-policy.yaml
@@ -0,0 +1,62 @@
+apiVersion: audit.k8s.io/v1beta1 # This is required.
+kind: Policy
+# Don't generate audit events for all requests in RequestReceived stage.
+omitStages:
+  - "RequestReceived"
+rules:
+  # Log pod changes at RequestResponse level
+  - level: RequestResponse
+    resources:
+    - group: ""
+      # Resource "pods" doesn't match requests to any subresource of pods,
+      # which is consistent with the RBAC policy.
+      resources: ["pods"]
+
+  # Log "pods/log", "pods/status" at Metadata level
+  - level: Metadata
+    resources:
+    - group: ""
+      resources: ["pods/log", "pods/status"]
+
+  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
+  - level: None
+    users: ["system:kube-proxy"]
+    verbs: ["watch"]
+    resources:
+    - group: "" # core API group
+      resources: ["endpoints", "services"]
+
+  # Don't log authenticated requests to certain non-resource URL paths.
+  - level: None
+    userGroups: ["system:authenticated"]
+    nonResourceURLs:
+    - "/api*" # Wildcard matching.
+    - "/version"
+
+  # Log the request body of configmap changes in kube-system.
+  - level: Request
+    resources:
+    - group: "" # core API group
+      resources: ["configmaps"]
+    # This rule only applies to resources in the "kube-system" namespace.
+    # The empty string "" can be used to select non-namespaced resources.
+    namespaces: ["kube-system"]
+
+  # Log  the request body of secret changes.
+  - level: Request
+    resources:
+    - group: "" # core API group
+      resources: ["secrets"]
+
+  # Log all other resources in core and extensions at the Request level.
+  - level: Request
+    resources:
+    - group: "" # core API group
+    - group: "extensions" # Version of group should NOT be included.
+
+  # A catch-all rule to log all other requests at the Metadata level.
+  - level: Metadata
+    # Long-running requests like watches that fall under this rule will not
+    # generate an audit event in RequestReceived.
+    omitStages:
+      - "RequestReceived"
diff --git a/pkg/acsengine/addons.go b/pkg/acsengine/addons.go
index b5c5d9186d..bd515f9d78 100644
--- a/pkg/acsengine/addons.go
+++ b/pkg/acsengine/addons.go
@@ -96,6 +96,11 @@ func kubernetesManifestSettingsInit(profile *api.Properties) []kubernetesFeature
 			"pod-security-policy.yaml",
 			helpers.IsTrueBoolPointer(profile.OrchestratorProfile.KubernetesConfig.EnablePodSecurityPolicy),
 		},
+		{
+			"kubernetesmaster-audit-policy.yaml",
+			"audit-policy.yaml",
+			isKubernetesVersionGe(profile.OrchestratorProfile.OrchestratorVersion, "1.8.0"),
+		},
 		{
 			"kubernetesmaster-kube-apiserver.yaml",
 			"kube-apiserver.yaml",
diff --git a/pkg/acsengine/defaults-apiserver.go b/pkg/acsengine/defaults-apiserver.go
index 33637e86e5..7de96e0d8a 100644
--- a/pkg/acsengine/defaults-apiserver.go
+++ b/pkg/acsengine/defaults-apiserver.go
@@ -17,7 +17,7 @@ func setAPIServerConfig(cs *api.ContainerService) {
 		"--audit-log-maxage":           "30",
 		"--audit-log-maxbackup":        "10",
 		"--audit-log-maxsize":          "100",
-		"--audit-log-path":             "/var/log/apiserver/audit.log",
+		"--audit-log-path":             "/var/log/audit.log",
 		"--insecure-port":              "8080",
 		"--secure-port":                "443",
 		"--service-account-lookup":     "true",
@@ -73,6 +73,11 @@ func setAPIServerConfig(cs *api.ContainerService) {
 		staticLinuxAPIServerConfig["--oidc-issuer-url"] = "https://" + issuerHost + "/" + cs.Properties.AADProfile.TenantID + "/"
 	}
 
+	// Audit Policy configuration
+	if isKubernetesVersionGe(o.OrchestratorVersion, "1.8.0") {
+		staticLinuxAPIServerConfig["--audit-policy-file"] = "/etc/kubernetes/manifests/audit-policy.yaml"
+	}
+
 	staticWindowsAPIServerConfig := make(map[string]string)
 	for key, val := range staticLinuxAPIServerConfig {
 		staticWindowsAPIServerConfig[key] = val

From 5ce35ba26f24b200d685b163b66f85ca40401775 Mon Sep 17 00:00:00 2001
From: Jack Francis <jack.francis@microsoft.com>
Date: Tue, 6 Feb 2018 09:07:11 -0800
Subject: [PATCH 2/2] apiserver audit log rotation is user-configurable

---
 docs/clusterdefinition.md           |  6 +++---
 pkg/acsengine/defaults-apiserver.go | 10 +++++-----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/docs/clusterdefinition.md b/docs/clusterdefinition.md
index 58aba94d80..b8442f4ef8 100644
--- a/docs/clusterdefinition.md
+++ b/docs/clusterdefinition.md
@@ -293,6 +293,9 @@ Below is a list of apiserver options that acs-engine will configure by default:
 |---|---|
 |"--admission-control"|"NamespaceLifecycle, LimitRanger, ServiceAccount, DefaultStorageClass, ResourceQuota, DenyEscalatingExec, AlwaysPullImages, SecurityContextDeny"|
 |"--authorization-mode"|"Node", "RBAC" (*the latter if enabledRbac is true*)|
+|"--audit-log-maxage"|"30"|
+|"--audit-log-maxbackup"|"10"|
+|"--audit-log-maxsize"|"100"|
 |"--feature-gates"|No default (can be a comma-separated list)|
 
 
@@ -304,9 +307,6 @@ Below is a list of apiserver options that are *not* currently user-configurable,
 |"--advertise-address"|*calculated value that represents listening URI for API server*|
 |"--allow-privileged"|"true"|
 |"--anonymous-auth"|"false|
-|"--audit-log-maxage"|"30"|
-|"--audit-log-maxbackup"|"10"|
-|"--audit-log-maxsize"|"100"|
 |"--audit-log-path"|"/var/log/apiserver/audit.log"|
 |"--insecure-port"|"8080"|
 |"--secure-port"|"443"|
diff --git a/pkg/acsengine/defaults-apiserver.go b/pkg/acsengine/defaults-apiserver.go
index 7de96e0d8a..91e06f5686 100644
--- a/pkg/acsengine/defaults-apiserver.go
+++ b/pkg/acsengine/defaults-apiserver.go
@@ -14,9 +14,6 @@ func setAPIServerConfig(cs *api.ContainerService) {
 		"--advertise-address":          "<kubernetesAPIServerIP>",
 		"--allow-privileged":           "true",
 		"--anonymous-auth":             "false",
-		"--audit-log-maxage":           "30",
-		"--audit-log-maxbackup":        "10",
-		"--audit-log-maxsize":          "100",
 		"--audit-log-path":             "/var/log/audit.log",
 		"--insecure-port":              "8080",
 		"--secure-port":                "443",
@@ -87,8 +84,11 @@ func setAPIServerConfig(cs *api.ContainerService) {
 
 	// Default apiserver config
 	defaultAPIServerConfig := map[string]string{
-		"--admission-control":  "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DenyEscalatingExec,AlwaysPullImages",
-		"--authorization-mode": "Node",
+		"--admission-control":   "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DenyEscalatingExec,AlwaysPullImages",
+		"--authorization-mode":  "Node",
+		"--audit-log-maxage":    "30",
+		"--audit-log-maxbackup": "10",
+		"--audit-log-maxsize":   "100",
 	}
 
 	// RBAC configuration