New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add minimal audit policy to local-up-cluster #72487

Merged
merged 1 commit into from Feb 20, 2019

Conversation

@dims
Copy link
Member

dims commented Jan 2, 2019

Change-Id: Ia2cdb5a6a891665ece5365698f2989ba3782a5ec

What type of PR is this?
/kind feature

What this PR does / why we need it:
Add support for generating audit logs.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE
@dims

This comment has been minimized.

Copy link
Member Author

dims commented Jan 2, 2019

/test pull-kubernetes-local-e2e

Show resolved Hide resolved hack/local-up-cluster.sh Outdated
@dims

This comment has been minimized.

Copy link
Member Author

dims commented Jan 10, 2019

/assign @liggitt

APISERVER_LOG=${LOG_DIR}/kube-apiserver.log
${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${swagger_arg} ${authorizer_arg} ${priv_arg} ${runtime_config} \
${cloud_config_arg} \
${advertise_address} \
${node_port_range} \
--v=${LOG_LEVEL} \
--vmodule="${LOG_SPEC}" \
--audit-policy-file=/tmp/kube-audit-policy-file \
--audit-log-path=${LOG_DIR}/kube-apiserver-audit.log \

This comment has been minimized.

@liggitt

liggitt Jan 10, 2019

Member

should we set --audit-log-maxsize to avoid filling disks with logs?

This comment has been minimized.

@BenTheElder

BenTheElder Feb 6, 2019

Member

what size would you expect for a local cluster doing some testing?
planning to look at something similar for https://github.com/kubernetes-sigs/kind soon.

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Jan 10, 2019

is the test failure related?

@dims

This comment has been minimized.

Copy link
Member Author

dims commented Jan 10, 2019

@liggitt i used it when trying to poking at th the audit log for the 0-length problem. but no, it's not related to any failures per se.

@dims dims force-pushed the dims:add-minimal-audit-policy-to-local-up-cluster branch from d570e4d to 654ab35 Jan 14, 2019

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Jan 14, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dims

This comment has been minimized.

Copy link
Member Author

dims commented Feb 5, 2019

@@ -565,13 +565,23 @@ function start_apiserver {
cloud_config_arg="--cloud-provider=external"
fi

cat <<EOF > /tmp/kube-audit-policy-file

This comment has been minimized.

@liggitt

liggitt Feb 5, 2019

Member

only do this if $AUDIT_POLICY_FILE is unset, and set AUDIT_POLICY_FILE to /tmp/kube-audit-policy-file here, and use --audit-policy-file="${AUDIT_POLICY_FILE}" \ below?

This comment has been minimized.

@cblecker

cblecker Feb 6, 2019

Member

I wish we weren't hardcoding to /tmp, but it's all over the file so it's not exactly going to break anyone.

This comment has been minimized.

@liggitt

liggitt Feb 6, 2019

Member

I had the same thought, and the same follow up response. I wouldn't do something different just for this file

@cblecker
Copy link
Member

cblecker left a comment

No bash concerns. I defer to @liggitt for the specific flags and format of the policy pile.

@@ -565,13 +565,23 @@ function start_apiserver {
cloud_config_arg="--cloud-provider=external"
fi

cat <<EOF > /tmp/kube-audit-policy-file

This comment has been minimized.

@cblecker

cblecker Feb 6, 2019

Member

I wish we weren't hardcoding to /tmp, but it's all over the file so it's not exactly going to break anyone.

@dims

This comment has been minimized.

Copy link
Member Author

dims commented Feb 18, 2019

@liggitt @cblecker so can we let this in?

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 18, 2019

#72487 (comment) still applies

Add minimal audit policy to local-up-cluster
Change-Id: Ia2cdb5a6a891665ece5365698f2989ba3782a5ec

@dims dims force-pushed the dims:add-minimal-audit-policy-to-local-up-cluster branch from 654ab35 to 6b6bfb3 Feb 18, 2019

@dims

This comment has been minimized.

Copy link
Member Author

dims commented Feb 18, 2019

@liggitt whoops! missed that. fixing now.

@anarchistHH1983

This comment has been minimized.

Copy link

anarchistHH1983 commented Feb 18, 2019

@dims

This comment has been minimized.

Copy link
Member Author

dims commented Feb 18, 2019

/retest

@anarchistHH1983

This comment has been minimized.

Copy link

anarchistHH1983 commented Feb 18, 2019

@dims

This comment has been minimized.

Copy link
Member Author

dims commented Feb 18, 2019

/priority important-soon
/sig testing

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 20, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Feb 20, 2019

@k8s-ci-robot k8s-ci-robot merged commit b96342a into kubernetes:master Feb 20, 2019

17 checks passed

cla/linuxfoundation dims authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-godeps Skipped
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Job succeeded.
Details
pull-kubernetes-local-e2e-containerized Skipped
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped
tide In merge pool.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment