Add options for file audit configuration

[jnummelin]

fixes #733

File audit logging can be configured with:

audit:
  file:
    path: /var/log/kube_audit/audit.json
    max_size: 100
    max_age: 30
    max_backups: 20

This also moves the webhook audit under audit.webhook which is a breaking change.

[jakolehm]

Few questions:

• why not enable this by default?
• can user configure both file & webhook audit

[jnummelin]

why not enable this by default?

Audit generates quite a bit of data. E.g. in my cold-running test cluster it generates ~80M per hour. So I thought one should not really have it unless you really want the have audit

can user configure both file & webhook audit

Yes.

[jakolehm]

Audit generates quite a bit of data. E.g. in my cold-running test cluster it generates ~80M per hour. So I thought one should not really have it unless you really want the have audit

Does it really matter if we have sane defaults for size & max_age? Writing audit log to a file should not be too resource intensive?

[jnummelin]

Does it really matter if we have sane defaults for size & max_age? Writing audit log to a file should not be too resource intensive?

We can make it on by default. How about with something like:

          'path' => '/var/log/kubernetes/audit.json',
          'max_size' => 100, # Max 100M files
          'max_age' => 30, # Max 30 days old audits
          'max_backups' => 20 # Max 20 rolled files, each 100M --> 2G used at max

That would make it look like something like this on disk:

root@pharos-master-0:~# ls -lah /var/log/kubernetes/
total 101M
drwxr-xr-x  2 root root   4.0K Oct 29 11:19 .
drwxrwxr-x 10 root syslog 4.0K Oct 29 09:15 ..
-rw-r--r--  1 root root   100M Oct 29 11:19 audit-2018-10-29T11-19-02.698.json
-rw-r--r--  1 root root   271K Oct 29 11:19 audit.json

[jnummelin]

@jakolehm there's now defaulting in place PTAL

[jakolehm]

Maybe add a comment how much in total audit logs can consume.

[jakolehm]

LGTM