From 9f6422a09a9d8ca7cb0dad9dc85dd2b010d58d9e Mon Sep 17 00:00:00 2001
From: Tom Teichler <tom.teichler@teckids.org>
Date: Sat, 26 Nov 2022 13:06:12 +0100
Subject: [PATCH] Enable kubernetes api logging

---
 .../files/custom/teckids-apiserver.yaml       | 10 ++++++++
 .../files/custom/teckids-logging.yaml         | 24 +++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 roles/k8s_master/files/custom/teckids-apiserver.yaml
 create mode 100644 roles/k8s_master/files/custom/teckids-logging.yaml

diff --git a/roles/k8s_master/files/custom/teckids-apiserver.yaml b/roles/k8s_master/files/custom/teckids-apiserver.yaml
new file mode 100644
index 0000000..7b00d42
--- /dev/null
+++ b/roles/k8s_master/files/custom/teckids-apiserver.yaml
@@ -0,0 +1,10 @@
+apiVersion: kubeadm.k8s.io/v1beta3
+kind: ClusterConfiguration
+kubernetesVersion: v1.23.5
+apiServer:
+  extraArgs:
+    oidc-issuer-url: "https://ticdesk.teckids.org/oauth"
+    oidc-client-id: "RcO3weOpSnlenZcBaBbXKFoNpElQzxjU0O20T273"
+    oidc-username-claim: "preferred_username"
+    audit-log-path: "/var/log/audit.log"
+    audit-policy-file: "/etc/kubernetes/manifests/custom/teckids-logging.yaml"
diff --git a/roles/k8s_master/files/custom/teckids-logging.yaml b/roles/k8s_master/files/custom/teckids-logging.yaml
new file mode 100644
index 0000000..3ee2c2f
--- /dev/null
+++ b/roles/k8s_master/files/custom/teckids-logging.yaml
@@ -0,0 +1,24 @@
+apiVersion: audit.k8s.io/v1
+kind: Policy
+omitStages:
+  - RequestReceived
+rules:
+  # Log alle Requests für APIs mit deprecated Versionen. Leider kann man hier nicht
+  # auf die API-Version filtern, d.h. im Log werden auch aktuelle API-Versionen auftauchen.
+  - level: Metadata
+    resources:
+      # v1.25
+      - group: batch
+        resources: ["cronjobs"]
+      - group: autoscaling
+        resources: ["horizontalpodautoscalers"]
+      - group: policy
+        resources: ["poddisruptionbudgets", "podsecuritypolicies"]
+      # v1.26
+      - group: autoscaling
+        resources: ["horizontalpodautoscalers"]
+      - group: flowcontrol.apiserver.k8s.io
+        resources: ["flowschemas", "prioritylevelconfigurations"]
+      # v1.27
+      - group: storage.k8s.io
+        resources: ["csistoragecapacities"]
-- 
GitLab