Add minimal audit policy to local-up-cluster #72487
Conversation
k8s-ci-robot
added
release-note-none
k8s-ci-robot
added
the
approved
|
/test pull-kubernetes-local-e2e |
|
/assign @liggitt |
| APISERVER_LOG=${LOG_DIR}/kube-apiserver.log | ||
| ${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${swagger_arg} ${authorizer_arg} ${priv_arg} ${runtime_config} \ | ||
| ${cloud_config_arg} \ | ||
| ${advertise_address} \ | ||
| ${node_port_range} \ | ||
| --v=${LOG_LEVEL} \ | ||
| --vmodule="${LOG_SPEC}" \ | ||
| --audit-policy-file=/tmp/kube-audit-policy-file \ | ||
| --audit-log-path=${LOG_DIR}/kube-apiserver-audit.log \ |
There was a problem hiding this comment.
should we set --audit-log-maxsize to avoid filling disks with logs?
There was a problem hiding this comment.
what size would you expect for a local cluster doing some testing?
planning to look at something similar for https://github.com/kubernetes-sigs/kind soon.
|
is the test failure related? |
|
@liggitt i used it when trying to poking at th the audit log for the 0-length problem. but no, it's not related to any failures per se. |
dims
force-pushed
the
add-minimal-audit-policy-to-local-up-cluster
branch
from
d570e4d
to
654ab35
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/assign @BenTheElder @cblecker |
hack/local-up-cluster.sh
Outdated
| @@ -565,13 +565,23 @@ function start_apiserver { | |||
| cloud_config_arg="--cloud-provider=external" | |||
| fi | |||
|
|
|||
| cat <<EOF > /tmp/kube-audit-policy-file | |||
There was a problem hiding this comment.
only do this if $AUDIT_POLICY_FILE is unset, and set AUDIT_POLICY_FILE to /tmp/kube-audit-policy-file here, and use --audit-policy-file="${AUDIT_POLICY_FILE}" \ below?
There was a problem hiding this comment.
I wish we weren't hardcoding to /tmp, but it's all over the file so it's not exactly going to break anyone.
There was a problem hiding this comment.
I had the same thought, and the same follow up response. I wouldn't do something different just for this file
hack/local-up-cluster.sh
Outdated
| @@ -565,13 +565,23 @@ function start_apiserver { | |||
| cloud_config_arg="--cloud-provider=external" | |||
| fi | |||
|
|
|||
| cat <<EOF > /tmp/kube-audit-policy-file | |||
There was a problem hiding this comment.
I wish we weren't hardcoding to /tmp, but it's all over the file so it's not exactly going to break anyone.
|
#72487 (comment) still applies |
Change-Id: Ia2cdb5a6a891665ece5365698f2989ba3782a5ec
dims
force-pushed
the
add-minimal-audit-policy-to-local-up-cluster
branch
from
654ab35
to
6b6bfb3
Compare
|
@liggitt whoops! missed that. fixing now. |
|
/kind, clean up
…On Mon, Feb 18, 2019, 12:22 PM Kubernetes Prow Robot < ***@***.*** wrote:
@dims <https://github.com/dims>: The following test *failed*, say /retest
to rerun them all:
Test name Commit Details Rerun command
pull-kubernetes-e2e-gce 6b6bfb3
<6b6bfb3>
link
<https://gubernator.k8s.io/build/kubernetes-jenkins/pr-logs/pull/72487/pull-kubernetes-e2e-gce/69104/> /test
pull-kubernetes-e2e-gce
Full PR test history <https://gubernator.k8s.io/pr/72487>. Your PR
dashboard <https://gubernator.k8s.io/pr/dims>. Please help us cut down on
flakes by linking to
<https://git.k8s.io/community/contributors/devel/flaky-tests.md#filing-issues-for-flaky-tests>
an open issue
<https://github.com/kubernetes/kubernetes/issues?q=is:issue+is:open> when
you hit one in your PR.
Instructions for interacting with me using PR comments are available here
<https://git.k8s.io/community/contributors/guide/pull-requests.md>. If
you have questions or suggestions related to my behavior, please file an
issue against the kubernetes/test-infra
<https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:>
repository. I understand the commands that are listed here
<https://go.k8s.io/bot-commands>.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#72487 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/Atif5bhfcKiGctS_Pm2As1k-ywIh_fhKks5vOuFrgaJpZM4ZmzaA>
.
|
|
/retest |
|
Retest
…On Mon, Feb 18, 2019, 1:28 PM Davanum Srinivas ***@***.*** wrote:
/retest
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#72487 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/Atif5dCLHgomGfb4x5kzfPTHomzWwHwWks5vOvDQgaJpZM4ZmzaA>
.
|
|
/priority important-soon |
k8s-ci-robot
added
priority/important-soon
|
/lgtm |
k8s-ci-robot
added
the
lgtm
Change-Id: Ia2cdb5a6a891665ece5365698f2989ba3782a5ec
What type of PR is this?
/kind feature
What this PR does / why we need it:
Add support for generating audit logs.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: