-
Notifications
You must be signed in to change notification settings - Fork 255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change the Kube-API Audit.log output file path #1653
Comments
You can probably get what you want with the combination of a few recent commits:
The |
The configuration options I'm seeing don't allow the API server to target outputting to something like |
The extra binds stuff doesn't allow it? You could bind /var/log/audit into the apiserver pod and then target wherever you mounted that in the pod for the audit log file. |
Ohh ok sorry just putting pieces together - you're suggesting to make an extra mount that points |
I think there is some Rancher log collection stuff that expects the current path and name, so changing the default would be difficult. I think we're on the same page, but yeah I was suggesting using the extra mounts for the apiserver to mount /var/log/audit somewhere in the apiserver pod (at a path of your choosing) and then adding your own audit logging configuration via --kube-apiserver-arg to instruct the apiserver to store audit logs at your custom path. I am not sure what selinux will think of these changes though, you might have to tinker with that a bit as well if you put things in places the policy doesn't expect. |
Is your feature request related to a problem? Please describe.
I am not able to change the output folder of the Kube-API audit logs using Kubelet args (enabled by cis-1.6) because it's statically mounted to the pod in a predefined location relative to the DataDir.
Describe the solution you'd like
A way to override the default audit log path so that it can be somewhere else such as /var/log or /var/log/audit
It appears it can be overridden currently by changing the dataDir but this isn't ideal as all the data would go with it
rke2/pkg/podexecutor/staticpod.go
Line 220 in d396832
Additional context
On some systems, it is a security requirement for audit logs to be output to dedicated partitions. On RHEL systems, for example, the STIG defines /var/log and /var/log/audit to be on dedicated partitions. It would be nice to be able to mount these to the Kube-API pod and use these preexisting configurations to satisfy the same requirement as a container platform.
The text was updated successfully, but these errors were encountered: