New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add options for file audit configuration #734
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few questions:
- why not enable this by default?
- can user configure both file & webhook audit
Audit generates quite a bit of data. E.g. in my cold-running test cluster it generates ~80M per hour. So I thought one should not really have it unless you really want the have audit
Yes. |
Does it really matter if we have sane defaults for size & max_age? Writing audit log to a file should not be too resource intensive? |
We can make it on by default. How about with something like:
That would make it look like something like this on disk:
|
@jakolehm there's now defaulting in place PTAL |
'path' => '/var/log/kubernetes/audit.json', | ||
'max_size' => 100, # Max 100M files | ||
'max_age' => 30, # Max 30 days old audits | ||
'max_backups' => 20 # Max 20 rolled files, each 100M |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add a comment how much in total audit logs can consume.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
fixes #733
File audit logging can be configured with:
This also moves the webhook audit under
audit.webhook
which is a breaking change.