위키
포럼
도구
바뀐글
랜덤

"Kops audit log 설정하기"의 두 판 사이의 차이

 
113번째 줄: 113번째 줄:


==참고==
==참고==
* https://github.com/kubernetes/kops/blob/master/docs/cluster_spec.md#audit-logging
* https://medium.com/@noqcks/kubernetes-audit-logging-introduction-464a34a53f6c
* https://medium.com/@noqcks/kubernetes-audit-logging-introduction-464a34a53f6c


[[분류: kops]]
[[분류: kops]]

2019년 9월 22일 (일) 22:36 기준 최신판

1 개요[ | ]

Kops audit log 설정하기
root@localhost:~# kops edit cluster

...
spec:
  kubeAPIServer:
   auditLogMaxAge: 7
   auditLogMaxBackups: 10
   auditLogMaxSize: 100
   auditLogPath: /var/log/kube-apiserver-audit.log
   auditPolicyFile: /srv/kubernetes/audit.yaml
  fileAssets:
  - name: audit-policy
    path: /srv/kubernetes/audit.yaml
    roles: [Master]
    content: |
      apiVersion: audit.k8s.io/v1beta1
      kind: Policy
      rules:
      - level: Metadata
        omitStages:
        - RequestReceived

root@localhost:~# kops update cluster
...
I0804 20:58:35.374648   13446 executor.go:103] Tasks: 0 done / 83 total; 42 can run
I0804 20:58:36.304461   13446 executor.go:103] Tasks: 42 done / 83 total; 23 can run
I0804 20:58:37.039537   13446 executor.go:103] Tasks: 65 done / 83 total; 16 can run
I0804 20:58:37.280375   13446 executor.go:103] Tasks: 81 done / 83 total; 2 can run
I0804 20:58:37.370598   13446 executor.go:103] Tasks: 83 done / 83 total; 0 can run
Will modify resources:
  LaunchConfiguration/master-ap-northeast-2c.masters.example.com
  	UserData            
  	                    	...
  	                    	    main:
  	                    	      version: 3.2.24
  	                    	- kubeAPIServer:
  	                    	-   allowPrivileged: true
  	                    	-   anonymousAuth: false
  	                    	+ fileAssets:
  	                    	+ - content: WYA9//1Ck3moE+G0IqsKuwMy5a7= (fingerprint)
  	                    	+   name: audit-policy
  	                    	+   path: /srv/kubernetes/audit.yaml
  	                    	+ kubeAPIServer:
  	                    	+   allowPrivileged: true
  	                    	+   anonymousAuth: false
  	                    	+   apiServerCount: 1
  	                    	+   auditLogMaxAge: 7
  	                    	+   auditLogMaxBackups: 10
  	                    	+   auditLogMaxSize: 100
  	                    	+   auditLogPath: /var/log/kube-apiserver-audit.log
  	                    	+   auditPolicyFile: /srv/kubernetes/audit.yaml
  	                    	-   apiServerCount: 1
  	                    	    authorizationMode: RBAC
  	                    	    bindAddress: 0.0.0.0
  	                    	...
  	                    	

Must specify --yes to apply changes

root@localhost:~# kops update cluster --yes
...
I0804 21:03:05.508724   13476 executor.go:103] Tasks: 0 done / 83 total; 42 can run
I0804 21:03:06.355909   13476 executor.go:103] Tasks: 42 done / 83 total; 23 can run
I0804 21:03:07.313470   13476 executor.go:103] Tasks: 65 done / 83 total; 16 can run
I0804 21:03:08.094892   13476 executor.go:103] Tasks: 81 done / 83 total; 2 can run
I0804 21:03:08.326222   13476 executor.go:103] Tasks: 83 done / 83 total; 0 can run
I0804 21:03:08.326330   13476 dns.go:153] Pre-creating DNS records
I0804 21:03:09.450673   13476 update_cluster.go:291] Exporting kubecfg for cluster
kops has set your kubectl context to example.com

Cluster changes have been applied to the cloud.


Changes may require instances to restart: kops rolling-update cluster

root@localhost:~# kops rolling-update cluster
NAME			STATUS		NEEDUPDATE	READY	MIN	MAX	NODES
master-ap-northeast-2c	NeedsUpdate	1		0	1	1	1
nodes			Ready		0		2	2	2	2

Must specify --yes to rolling-update.

root@localhost:~# kops rolling-update cluster --yes
NAME			STATUS		NEEDUPDATE	READY	MIN	MAX	NODES
master-ap-northeast-2c	NeedsUpdate	1		0	1	1	1
nodes			Ready		0		2	2	2	2
I0804 23:43:17.768586   15528 instancegroups.go:165] Draining the node: "ip-172-31-55-23.ap-northeast-2.compute.internal".
node/ip-172-31-55-23.ap-northeast-2.compute.internal cordoned
node/ip-172-31-55-23.ap-northeast-2.compute.internal cordoned
pod/dns-controller-8588b845cd-4m5n5 evicted
I0804 23:43:20.834193   15528 instancegroups.go:358] Waiting for 1m30s for pods to stabilize after draining.
I0804 23:44:50.834392   15528 instancegroups.go:185] deleting node "ip-172-31-55-23.ap-northeast-2.compute.internal" from kubernetes
I0804 23:44:50.840559   15528 instancegroups.go:299] Stopping instance "i-0fee55f917fc9cc3e", node "ip-172-31-55-23.ap-northeast-2.compute.internal", in group "master-ap-northeast-2c.masters.example.com" (this may take a while).
I0804 23:44:51.073274   15528 instancegroups.go:198] waiting for 5m0s after terminating instance
I0804 23:49:51.073454   15528 instancegroups.go:209] Validating the cluster.
I0804 23:49:51.365128   15528 instancegroups.go:273] Cluster did not pass validation, will try again in "30s" until duration "5m0s" expires: node "ip-172-31-37-193.ap-northeast-2.compute.internal" is not ready.
I0804 23:50:21.592375   15528 instancegroups.go:276] Cluster validated.
I0804 23:50:21.592413   15528 rollingupdate.go:184] Rolling update completed for cluster "example.com"!

2 같이 보기[ | ]

3 참고[ | ]

원본 주소 "https://zetawiki.com/w/index.php?title=Kops_audit_log_설정하기&oldid=534581"
문서 댓글 ({{ doc_comments.length }})
{{ comment.name }} {{ comment.created | snstime }}