Audit Policy File #3692
Audit Policy File #3692
Conversation
k8s-ci-robot
added
size/S
|
Are the contents secret? Feel like we should build the manifest properly |
|
Rather we should behold the config file properly for the user. Stuff like this is important and frankly should be easy for the user |
|
hi @chrislovecnm ... i'm assuming you mean allowing the user to write the rules directly into the cluster spec and get nodeup to write the manifest out? ... I can't find anywhere else we are doing though; the closest 'recent' PR involving a manifest would encryption at rest .. but here were using a secret and simply creating via the kops create command. We could reuse this method but add some validation as the very least? ... I'm not sure if we have a consistent way of doing this ... file assets has the +1 of changes being detectable to rollouts ... |
|
/assign @gambol99 |
| @@ -248,6 +248,8 @@ type KubeAPIServerConfig struct { | |||
| AuditLogMaxBackups *int32 `json:"auditLogMaxBackups,omitempty" flag:"audit-log-maxbackup"` | |||
| // The maximum size in megabytes of the audit log file before it gets rotated. Defaults to 100MB. | |||
| AuditLogMaxSize *int32 `json:"auditLogMaxSize,omitempty" flag:"audit-log-maxsize"` | |||
| // AuditPolicyFile is path to a audit policy configuraion file on the masters | |||
There was a problem hiding this comment.
.. is the path to an audit policy configuration ..
|
So we should start with what they have upstream https://github.com/kubernetes/kubernetes/blob/v1.8.0-beta.0/cluster/gce/gci/configure-helper.sh#L532 and build from there. Let me think this through a bit |
pkg/apis/kops/componentconfig.go
Outdated
| @@ -248,6 +248,8 @@ type KubeAPIServerConfig struct { | |||
| AuditLogMaxBackups *int32 `json:"auditLogMaxBackups,omitempty" flag:"audit-log-maxbackup"` | |||
| // The maximum size in megabytes of the audit log file before it gets rotated. Defaults to 100MB. | |||
| AuditLogMaxSize *int32 `json:"auditLogMaxSize,omitempty" flag:"audit-log-maxsize"` | |||
| // AuditPolicyFile is path to a audit policy configuraion file on the masters | |||
| AuditPolicyFile string `json:"auditPolicyFile,omitempty" flag:"audit-policy-file"` | |||
There was a problem hiding this comment.
Fully qualified path and file name? It is not just the path.
/mnt/my-audit-file.comf
|
Let get the comments reading better on the API values and get this in. Examples are awesome. We can figure out how to add the policy file better later. Almost like an addon... |
gambol99
force-pushed
the
audit_policy
branch
from
c9202d7
to
2aeb53b
Compare
Extending the KubeAPI component config to allow setting the audit-policy-file
gambol99
force-pushed
the
audit_policy
branch
from
2aeb53b
to
e995c7b
Compare
|
i've updated the field comments @chrislovecnm ... we can use this weeks 'out of hours' for a implementation of content |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
k8s-github-robot
added
the
approved
|
/retest Why has this not merged? |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chrislovecnm The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. |
The current implementation doesn't allow users to set the advanced audit policy location. Note, the file contents can be pushed by a FileAsset a sample given below .... Or do we want an explicit secret for this? ..
related to #3672