Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
168 lines (163 sloc) 4.9 KB
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: cos-auditd
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cos-auditd-logging
namespace: cos-auditd
annotations:
kubernetes.io/description: 'DaemonSet that enables Linux auditd logging on COS nodes.'
spec:
selector:
matchLabels:
name: cos-auditd-logging
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
labels:
name: cos-auditd-logging
spec:
hostNetwork: true
hostPID: true
nodeSelector:
cloud.google.com/gke-os-distribution: cos
volumes:
- hostPath:
path: /
name: host
- hostPath:
path: /var/log
name: varlog
- hostPath:
path: /usr/lib64
name: libsystemddir
- configMap:
defaultMode: 420
name: fluentd-gcp-config-cos-auditd
name: config-volume
initContainers:
- name: cos-auditd-setup
image: ubuntu
command: ["chroot", "/host", "systemctl", "start", "cloud-audit-setup"]
securityContext:
privileged: true
volumeMounts:
- name: host
mountPath: /host
resources:
requests:
memory: "10Mi"
cpu: "10m"
containers:
- name: fluentd-gcp-cos-auditd
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
image: gcr.io/stackdriver-agents/stackdriver-logging-agent:0.6-1.6.0-1
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -c
- |
LIVENESS_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-300}; STUCK_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-900}; if [ ! -e /var/log/fluentd-buffers ]; then
exit 1;
fi; touch -d "${STUCK_THRESHOLD_SECONDS} seconds ago" /tmp/marker-stuck; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-stuck -print -quit)" ]]; then
rm -rf /var/log/fluentd-buffers;
exit 1;
fi; touch -d "${LIVENESS_THRESHOLD_SECONDS} seconds ago" /tmp/marker-liveness; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-liveness -print -quit)" ]]; then
exit 1;
fi;
failureThreshold: 3
initialDelaySeconds: 600
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: "1"
memory: 500Mi
requests:
cpu: 100m
memory: 200Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/log
name: varlog
- mountPath: /host/lib
name: libsystemddir
readOnly: true
- mountPath: /etc/google-fluentd/google-fluentd.conf
subPath: google-fluentd.conf
name: config-volume
dnsPolicy: Default
restartPolicy: Always
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoSchedule
key: node.alpha.kubernetes.io/ismaster
- effect: NoExecute
operator: Exists
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
---
kind: ConfigMap
apiVersion: v1
metadata:
name: fluentd-gcp-config-cos-auditd
namespace: cos-auditd
annotations:
kubernetes.io/description: 'ConfigMap for Linux auditd logging daemonset on COS nodes.'
data:
google-fluentd.conf: |-
<source>
@type systemd
filters [{ "SYSLOG_IDENTIFIER": "audit" }]
pos_file /var/log/gcp-journald-audit.pos
read_from_head true
tag linux-auditd
</source>
# Do not collect fluentd's own logs to avoid infinite loops.
<match fluent.**>
@type null
</match>
<match **>
@type google_cloud
enable_monitoring false
split_logs_by_tag false
detect_subservice false
buffer_type file
buffer_path /var/log/fluentd-buffers/system.audit.buffer
buffer_queue_full_action block
buffer_chunk_limit 512k
buffer_queue_limit 2
flush_interval 5s
max_retry_wait 30
disable_retry_limit
num_threads 2
use_grpc true
</match>
You can’t perform that action at this time.