-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkind-audit-logging.yaml
65 lines (65 loc) · 2.43 KB
/
kind-audit-logging.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# Source: https://github.com/kubernetes-sigs/kind/pull/457/files#diff-d9fa0450190d60ba133fb92282a94725R118
# enables audit policy on apiserver
kind: Cluster
apiVersion: kind.sigs.k8s.io/v1alpha4
nodes:
- role: control-plane
extraMounts:
# edit ./audit-policy.yaml for audit policy
# logs will stored to ./apiserver-audit.log
- hostPath: /Users/bhutwala/gocode/src/github.com/yashbhutwala/kind-hacks/audit-policy.yaml
containerPath: /etc/kubernetes/audit-policy.yaml
- hostPath: /Users/bhutwala/gocode/src/github.com/yashbhutwala/kind-hacks/apiserver-audit.log
containerPath: /var/log/apiserver-audit.log
- role: worker
- role: worker
kubeadmConfigPatches:
- |
# v1beta2 only works for 1.15+
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
metadata:
name: config
apiServer:
extraArgs:
# https://kind.sigs.k8s.io/docs/user/quick-start/#enable-feature-gates-in-your-cluster
# "feature-gates": "TTLAfterFinished=true"
# "feature-gates": "ServerSideApply=true"
audit-log-path: /var/log/apiserver-audit.log
audit-policy-file: /etc/kubernetes/audit-policy.yaml
extraVolumes:
- name: auditpolicy
pathType: File
readOnly: true
hostPath: /etc/kubernetes/audit-policy.yaml
mountPath: /etc/kubernetes/audit-policy.yaml
- name: auditlog
pathType: File
readOnly: false
hostPath: /var/log/apiserver-audit.log
mountPath: /var/log/apiserver-audit.log
# kubeadmConfigPatches:
# - |
# # kubeadm.k8s.io/v1alpha2 works for kubeadm 1.11
# # kubeadm.k8s.io/v1beta1 works for >= 1.13 and <= 1.18
# # kubeadm.k8s.io/v1beta2 works for >= 1.15 and <= ?
# apiVersion: kubeadm.k8s.io/v1alpha2
# # MasterConfiguration changed to ClusterConfiguration in 1.13
# kind: MasterConfiguration
# metadata:
# name: config
# apiServer:
# extraArgs:
# audit-log-path: /var/log/apiserver-audit.log
# audit-policy-file: /etc/kubernetes/audit-policy.yaml
# apiServerExtraVolumes:
# - name: auditpolicy
# pathType: File
# readOnly: true
# hostPath: /etc/kubernetes/audit-policy.yaml
# mountPath: /etc/kubernetes/audit-policy.yaml
# - name: auditlog
# pathType: File
# readOnly: false
# hostPath: /var/log/apiserver-audit.log
# mountPath: /var/log/apiserver-audit.log