enable audit log for os-3.11 (kubevirt#75)

* enable audit log for os-3.11 Signed-off-by: Marcin Franczyk <mfranczy@redhat.com> * use ansible-2.7.9-1 for os-3.11 * increase VM memory for os provisioners * Update README with new hashes
kubevirt-bot · Jun 16, 2019 · ba676dd · ba676dd
1 parent 45cdf80
commit ba676dd
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 18 deletions.
diff --git a/cluster-provision/README.md b/cluster-provision/README.md
@@ -34,9 +34,9 @@
 * **Deprecated**: `kubevirtci/os-3.10.0:`: `sha256:cc418c0c837d8e6c9a31a063762d9e4c8bfc70a1fcca10823b11c6d8a7ae2394`
 * **Deprecated**: `kubevirtci/os-3.10.0-crio:`: `sha256:56debd7bc2ce87dd616ebc30f06971e388b6983c0cda8646a7563e1dafadb69b`
 * **Deprecated**: `kubevirtci/os-3.10.0-multus`: `sha256:875c973099141ab2013aaf51ec2b35b5326be943ef1437e4a87e041405e724ca`
-* `kubevirtci/os-3.11.0-multus`: `sha256:b799a707e2c42caa1e3a7e7677cd14bbd834b3e3f6f1bce48b7a32d705e383fb`
-* `kubevirtci/os-3.11.0:`: `sha256:2d0a8f59dfebe181f550c4fbcd90d491a56a7d642d761c32a3c7732644325c0b`
-* `kubevirtci/os-3.11.0-crio:`: `sha256:3f11a6f437fcdf2d70de4fcc31e0383656f994d0d05f9a83face114ea7254bc0`
+* `kubevirtci/os-3.11.0-multus`: `sha256:f2d03ccbe60157e60a5be3b41536e1ba046fc1820c1ceec1f0018b0362c7808c`
+* `kubevirtci/os-3.11.0:`: `sha256:ce98292a3e11f6b69a8c2db173c586fd1aea5a2f34031e5e5bc16802320cec82`
+* `kubevirtci/os-3.11.0-crio:`: `sha256:ec798b0399f7ffeb0477a077574205cd379b79710a14965eab52c798be2bdc52`
 * **Deprecated**: `kubevirtci/k8s-1.9.3:`: `sha256:f6ffb23261fb8aa15ed45b8d17e1299e284ea75e1d2814ee6b4ec24ecea6f24b`
 * **Deprecated**: `kubevirtci/k8s-1.10.3:`: `sha256:d6290260e7e6b84419984f12719cf592ccbe327373b8df76aa0481f8ec01d357`
 * **Deprecated**: `kubevirtci/k8s-1.10.4:`: `sha256:2ed70abfa8f6c30d990b76b816577040c0709258cbbd7c70f71a70d547f5544f`

diff --git a/cluster-provision/os-3.11/scripts/provision.sh b/cluster-provision/os-3.11/scripts/provision.sh
@@ -20,8 +20,7 @@ gpgcheck=0
 EOF
 
 # Install OpenShift packages
-yum install -y ansible \
-  wget \
+yum install -y wget \
   git \
   net-tools \
   bind-utils \
@@ -40,6 +39,9 @@ yum install -y ansible \
   docker-1.13.1-75.git8633870.el7.centos.x86_64 \
   python-docker-pycreds-1.10.6-4.el7.noarch
 
+wget https://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.7.9-1.el7.ans.noarch.rpm
+yum -y localinstall ansible-2.7.9-1.el7.ans.noarch.rpm
+
 # Disable spectre and meltdown patches
 sed -i 's/quiet"/quiet spectre_v2=off nopti hugepagesz=2M hugepages=64"/' /etc/default/grub
 grub2-mkconfig -o /boot/grub2/grub.cfg
@@ -65,18 +67,12 @@ inventory_file="/root/inventory"
 master_ip="192.168.66.101"
 echo "$master_ip node01" >> /etc/hosts
 
-git clone https://github.com/openshift/openshift-ansible.git -b v3.11.0 --depth 1 $openshift_ansible
-
-# Apply fix https://github.com/openshift/openshift-ansible/pull/10459
-# TODO: remove it when the fix will be available under the v3.11.0 tag
-sed -i 's/python-docker/python-docker-py/' $openshift_ansible/playbooks/init/base_packages.yml
+wget https://github.com/openshift/openshift-ansible/archive/openshift-ansible-3.11.119-1.tar.gz -P $openshift_ansible
+tar -xvf $openshift_ansible/openshift-ansible-3.11.119-1.tar.gz --strip=1 -C $openshift_ansible
 
 # Create ansible inventory file
 cat >$inventory_file <<EOF
 all:
-  vars:
-    olm_operator_image: quay.io/coreos/olm:master-08ea39b7
-    olm_catalog_operator_image: quay.io/coreos/catalog:master-57dd618d
   children:
     OSEv3:
       hosts:
@@ -98,9 +94,7 @@ all:
           hosts:
             node01:
       vars:
-        ansible_service_broker_registry_whitelist:
-        - .*-apb$
-        ansible_service_broker_image: docker.io/ansibleplaybookbundle/origin-ansible-service-broker:ansible-service-broker-1.2.17-1
+        openshift_enable_service_catalog: false
         ansible_ssh_pass: vagrant
         ansible_ssh_user: root
         deployment_type: origin
@@ -139,6 +133,11 @@ all:
         osm_controller_args:
           feature-gates:
           - BlockVolume=true
+        openshift_master_audit_config:
+          enabled: true
+          logFormat: json
+          auditFilePath: "/var/lib/origin/audit-ocp.log"
+          policyFile: "/etc/origin/master/adv-audit.yaml"
         openshift_node_groups:
         - name: node-config-master-infra-kubevirt
           labels:
@@ -179,6 +178,27 @@ all:
             - '40'
 EOF
 
+mkdir -p /etc/origin/master
+cat >/etc/origin/master/adv-audit.yaml <<EOF
+apiVersion: audit.k8s.io/v1beta1
+kind: Policy
+rules:
+- level: Request
+  users: ["system:admin"]
+  resources:
+  - group: kubevirt.io
+    resources:
+    - virtualmachines
+    - virtualmachineinstances
+    - virtualmachineinstancereplicasets
+    - virtualmachineinstancepresets
+    - virtualmachineinstancemigrations
+  omitStages:
+  - RequestReceived
+  - ResponseStarted
+  - Panic
+EOF
+
 # Add cri-o variable to inventory file
 if [[ $1 == "true" ]]; then
     sed -i "s/    vars\:/    vars\:\n        openshift_use_crio: 'true'/" $inventory_file
@@ -187,8 +207,6 @@ fi
 # Install prerequisites
 ansible-playbook -e "ansible_user=root ansible_ssh_pass=vagrant" -i $inventory_file $openshift_ansible/playbooks/prerequisites.yml
 ansible-playbook -i $inventory_file $openshift_ansible/playbooks/deploy_cluster.yml
-# Install OLM
-ansible-playbook -i $inventory_file $openshift_ansible/playbooks/olm/config.yml
 
 # Create OpenShift user
 /usr/bin/oc create user admin