概述
kuberbetes的audit log采用了backend配置的方式,支持file、webhook等方式。
实践
cat /etc/kubernetes/audit/policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: None
verbs: ["get", "watch", "list"]
- level: None
resources:
- group: "" # core
resources: ["events"]
- level: None
users:
- "system:kube-scheduler"
- "system:kube-proxy"
- "system:apiserver"
- "system:kube-controller-manager"
- "system:serviceaccount:gatekeeper-system:gatekeeper-admin"
- level: None
userGroups: ["system:nodes"]
- level: RequestResponse
由于我的api-server以Pod形式运行,因此需要edit Pod
# 加入启动命令
--audit-policy-file=/etc/kubernetes/audit/policy.yaml
--audit-log-path=/etc/kubernetes/audit/audit.log
--audit-log-maxsize=500
--audit-log-maxbackup=3
# 加入hostPath
- hostPath:
path: /etc/kubernetes/audit
type: DirectoryOrCreate
name: audit
# mountPath
- mountPath: /etc/kubernetes/audit
name: audit
