New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add minimal audit policy to local-up-cluster #72487
Add minimal audit policy to local-up-cluster #72487
Conversation
/test pull-kubernetes-local-e2e |
/assign @liggitt |
APISERVER_LOG=${LOG_DIR}/kube-apiserver.log | ||
${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${swagger_arg} ${authorizer_arg} ${priv_arg} ${runtime_config} \ | ||
${cloud_config_arg} \ | ||
${advertise_address} \ | ||
${node_port_range} \ | ||
--v=${LOG_LEVEL} \ | ||
--vmodule="${LOG_SPEC}" \ | ||
--audit-policy-file=/tmp/kube-audit-policy-file \ | ||
--audit-log-path=${LOG_DIR}/kube-apiserver-audit.log \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we set --audit-log-maxsize
to avoid filling disks with logs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what size would you expect for a local cluster doing some testing?
planning to look at something similar for https://github.com/kubernetes-sigs/kind soon.
is the test failure related? |
@liggitt i used it when trying to poking at th the audit log for the 0-length problem. but no, it's not related to any failures per se. |
d570e4d
to
654ab35
Compare
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/assign @BenTheElder @cblecker |
hack/local-up-cluster.sh
Outdated
@@ -565,13 +565,23 @@ function start_apiserver { | |||
cloud_config_arg="--cloud-provider=external" | |||
fi | |||
|
|||
cat <<EOF > /tmp/kube-audit-policy-file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
only do this if $AUDIT_POLICY_FILE
is unset, and set AUDIT_POLICY_FILE to /tmp/kube-audit-policy-file here, and use --audit-policy-file="${AUDIT_POLICY_FILE}" \
below?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wish we weren't hardcoding to /tmp
, but it's all over the file so it's not exactly going to break anyone.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had the same thought, and the same follow up response. I wouldn't do something different just for this file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No bash concerns. I defer to @liggitt for the specific flags and format of the policy pile.
hack/local-up-cluster.sh
Outdated
@@ -565,13 +565,23 @@ function start_apiserver { | |||
cloud_config_arg="--cloud-provider=external" | |||
fi | |||
|
|||
cat <<EOF > /tmp/kube-audit-policy-file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wish we weren't hardcoding to /tmp
, but it's all over the file so it's not exactly going to break anyone.
#72487 (comment) still applies |
Change-Id: Ia2cdb5a6a891665ece5365698f2989ba3782a5ec
654ab35
to
6b6bfb3
Compare
@liggitt whoops! missed that. fixing now. |
/kind, clean up
…On Mon, Feb 18, 2019, 12:22 PM Kubernetes Prow Robot < ***@***.*** wrote:
@dims <https://github.com/dims>: The following test *failed*, say /retest
to rerun them all:
Test name Commit Details Rerun command
pull-kubernetes-e2e-gce 6b6bfb3
<6b6bfb3>
link
<https://gubernator.k8s.io/build/kubernetes-jenkins/pr-logs/pull/72487/pull-kubernetes-e2e-gce/69104/> /test
pull-kubernetes-e2e-gce
Full PR test history <https://gubernator.k8s.io/pr/72487>. Your PR
dashboard <https://gubernator.k8s.io/pr/dims>. Please help us cut down on
flakes by linking to
<https://git.k8s.io/community/contributors/devel/flaky-tests.md#filing-issues-for-flaky-tests>
an open issue
<https://github.com/kubernetes/kubernetes/issues?q=is:issue+is:open> when
you hit one in your PR.
Instructions for interacting with me using PR comments are available here
<https://git.k8s.io/community/contributors/guide/pull-requests.md>. If
you have questions or suggestions related to my behavior, please file an
issue against the kubernetes/test-infra
<https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:>
repository. I understand the commands that are listed here
<https://go.k8s.io/bot-commands>.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#72487 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/Atif5bhfcKiGctS_Pm2As1k-ywIh_fhKks5vOuFrgaJpZM4ZmzaA>
.
|
/retest |
Retest
…On Mon, Feb 18, 2019, 1:28 PM Davanum Srinivas ***@***.*** wrote:
/retest
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#72487 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/Atif5dCLHgomGfb4x5kzfPTHomzWwHwWks5vOvDQgaJpZM4ZmzaA>
.
|
/priority important-soon |
/lgtm |
Change-Id: Ia2cdb5a6a891665ece5365698f2989ba3782a5ec
What type of PR is this?
/kind feature
What this PR does / why we need it:
Add support for generating audit logs.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: