1 개요[ | ]
- Kube-apiserver audit logs
- 쿠버네티스 audit log 설정하기
2 /var/log/kubernetes 폴더 생성[ | ]
Console
Copy
root@master:~# mkdir /var/log/kubernetes
3 audit-policy.yaml 작성[ | ]
Console
Copy
root@master:~# vi /etc/kubernetes/audit-policy.yaml
yaml
Copy
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# We recommend that you do not generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# The following requests are manually identified as high-volume and low-risk.
# Therefore, we recommend that you drop them.
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core
resources: ["endpoints", "services"]
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["configmaps"]
- level: None
users: ["kubelet"] # legacy kubelet identity
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
users:
- system:kube-controller-manager
- system:kube-scheduler
- system:serviceaccount:kube-system:endpoint-controller
verbs: ["get", "update"]
namespaces: ["kube-system"]
resources:
- group: "" # core
resources: ["endpoints"]
- level: None
users: ["system:apiserver"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["namespaces"]
# We recommend that you do not log these read-only URLs.
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
# We recommend that you do not log events requests.
- level: None
resources:
- group: "" # core
resources: ["events"]
# Secrets, ConfigMaps, and TokenReviews can contain sensitive and binary data.
# Therefore, they are logged only at the Metadata level.
- level: Metadata
resources:
- group: "" # core
resources: ["secrets", "configmaps"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
# Get repsonses can be large; skip them.
- level: Request
verbs: ["get", "list", "watch"]
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Default level for known APIs.
- level: RequestResponse
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Default level for all other requests.
- level: Metadata
4 kube-apiserver.yaml 수정[ | ]
Console
Copy
root@master:~# vi /etc/kubernetes/manifests/kube-apiserver.yaml
yaml
Copy
...
containers:
- command:
- kube-apiserver
- --audit-log-maxage=7
- --audit-log-maxbackup=10
- --audit-log-maxsize=100
- --audit-log-path=/var/log/kubernetes/kubernetes.audit
- --audit-policy-file=/etc/kubernetes/audit-policy.yaml
...
volumeMounts:
- mountPath: /var/log/kubernetes
name: k8s-audit
- mountPath: /etc/kubernetes/audit-policy.yaml
name: audit-policy
readOnly: true
...
volumes:
- hostPath:
path: /var/log/kubernetes
type: DirectoryOrCreate
name: k8s-audit
- hostPath:
path: /etc/kubernetes/audit-policy.yaml
type: FileOrCreate
name: audit-policy
5 확인[ | ]
Console
Copy
root@master:~# cat /var/log/kubernetes/kubernetes.audit | tail -1
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"602dbf89-8189-4bc9-a56f-4d583c9d04f7","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/endpoints/kubernetes","verb":"get","user":{"username":"system:apiserver","uid":"1ec7fa2e-40eb-4dfc-8e2e-6e1cd3ffd00e","groups":["system:masters"]},"sourceIPs":["::1"],"userAgent":"kube-apiserver/v1.14.0 (linux/amd64) kubernetes/641856d","objectRef":{"resource":"endpoints","namespace":"default","name":"kubernetes","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2019-07-29T03:37:23.252408Z","stageTimestamp":"2019-07-29T03:37:23.253086Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
6 같이 보기[ | ]
7 참고[ | ]
편집자 Jmnote Jmnote bot
로그인하시면 댓글을 쓸 수 있습니다.