SYS-632 k8s audit log

instantlinux · Dec 31, 2024 · 1a5fdec · 1a5fdec
1 parent 1eb33ad
commit 1a5fdec
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/ansible/roles/kubernetes/tasks/cplane.yml b/ansible/roles/kubernetes/tasks/cplane.yml
@@ -71,6 +71,12 @@
     dest: /etc/kubernetes/pki/secrets.conf
     mode: 0600
 
+- name: Configure audit log
+  ansible.builtin.template:
+    src: audit-policies.yaml.j2
+    dest: /etc/kubernetes/audit-policies.yaml
+    mode: 0644
+
 - name: Adjust kube-apiserver config - encrypt etcd values
   ansible.builtin.lineinfile:
     path: /etc/kubernetes/manifests/kube-apiserver.yaml

diff --git a/ansible/roles/kubernetes/templates/kubeadm-config-cplane.j2 b/ansible/roles/kubernetes/templates/kubeadm-config-cplane.j2
@@ -1,5 +1,5 @@
 ---
-# This file generated by ansible
+{{ ansible_managed | comment }}
 #
 apiVersion: kubeadm.k8s.io/v1beta4
 kind: InitConfiguration
@@ -40,6 +40,14 @@ apiServer:
   - {{ k8s.cplane_hostip }}
   - {{ k8s.cplane_vip }}
   extraArgs:
+  - name: audit-log-maxbackup
+    value: "2"
+  - name: audit-log-maxsize
+    value: "100"
+  - name: audit-log-path
+    value: /var/log/audit.log
+  - name: audit-policy-file
+    value: /etc/kubernetes/audit-policies.yaml
   - name: encryption-provider-config
     value: /etc/kubernetes/pki/secrets.conf
   - name: oidc-issuer-url
@@ -54,6 +62,16 @@ apiServer:
     value: {{ oidc.username_prefix }}
   - name: oidc-groups-prefix
     value: {{ oidc.group_prefix }}
+  extraVolumes:
+  - name: audit
+    hostPath: /etc/kubernetes/audit-policies.yaml
+    mountPath: /etc/kubernetes/audit.yaml
+    readOnly: true
+    pathType: File
+  - name: auditlog
+    hostPath: /var/log/private/audit.log
+    mountPath: /var/log/audit.log
+    pathType: File
 dns:
   # Workaround for bug 112131; never got fixed as of k8s 1.31:
   # https://github.com/kubernetes/kubernetes/issues/112131