From 9f6422a09a9d8ca7cb0dad9dc85dd2b010d58d9e Mon Sep 17 00:00:00 2001 From: Tom Teichler <tom.teichler@teckids.org> Date: Sat, 26 Nov 2022 13:06:12 +0100 Subject: [PATCH] Enable kubernetes api logging --- .../files/custom/teckids-apiserver.yaml | 10 ++++++++ .../files/custom/teckids-logging.yaml | 24 +++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 roles/k8s_master/files/custom/teckids-apiserver.yaml create mode 100644 roles/k8s_master/files/custom/teckids-logging.yaml diff --git a/roles/k8s_master/files/custom/teckids-apiserver.yaml b/roles/k8s_master/files/custom/teckids-apiserver.yaml new file mode 100644 index 0000000..7b00d42 --- /dev/null +++ b/roles/k8s_master/files/custom/teckids-apiserver.yaml @@ -0,0 +1,10 @@ +apiVersion: kubeadm.k8s.io/v1beta3 +kind: ClusterConfiguration +kubernetesVersion: v1.23.5 +apiServer: + extraArgs: + oidc-issuer-url: "https://ticdesk.teckids.org/oauth" + oidc-client-id: "RcO3weOpSnlenZcBaBbXKFoNpElQzxjU0O20T273" + oidc-username-claim: "preferred_username" + audit-log-path: "/var/log/audit.log" + audit-policy-file: "/etc/kubernetes/manifests/custom/teckids-logging.yaml" diff --git a/roles/k8s_master/files/custom/teckids-logging.yaml b/roles/k8s_master/files/custom/teckids-logging.yaml new file mode 100644 index 0000000..3ee2c2f --- /dev/null +++ b/roles/k8s_master/files/custom/teckids-logging.yaml @@ -0,0 +1,24 @@ +apiVersion: audit.k8s.io/v1 +kind: Policy +omitStages: + - RequestReceived +rules: + # Log alle Requests für APIs mit deprecated Versionen. Leider kann man hier nicht + # auf die API-Version filtern, d.h. im Log werden auch aktuelle API-Versionen auftauchen. + - level: Metadata + resources: + # v1.25 + - group: batch + resources: ["cronjobs"] + - group: autoscaling + resources: ["horizontalpodautoscalers"] + - group: policy + resources: ["poddisruptionbudgets", "podsecuritypolicies"] + # v1.26 + - group: autoscaling + resources: ["horizontalpodautoscalers"] + - group: flowcontrol.apiserver.k8s.io + resources: ["flowschemas", "prioritylevelconfigurations"] + # v1.27 + - group: storage.k8s.io + resources: ["csistoragecapacities"] -- GitLab