Change the Kube-API Audit.log output file path

[mddamato]

Is your feature request related to a problem? Please describe.
I am not able to change the output folder of the Kube-API audit logs using Kubelet args (enabled by cis-1.6) because it's statically mounted to the pod in a predefined location relative to the DataDir.

Describe the solution you'd like
A way to override the default audit log path so that it can be somewhere else such as /var/log or /var/log/audit

It appears it can be overridden currently by changing the dataDir but this isn't ideal as all the data would go with it

rke2/pkg/podexecutor/staticpod.go

Line 220 in d396832

auditLogFile := filepath.Join(s.DataDir, "server/logs/audit.log")

Additional context
On some systems, it is a security requirement for audit logs to be output to dedicated partitions. On RHEL systems, for example, the STIG defines /var/log and /var/log/audit to be on dedicated partitions. It would be nice to be able to mount these to the Kube-API pod and use these preexisting configurations to satisfy the same requirement as a container platform.

[brandond]

You can probably get what you want with the combination of a few recent commits:

• Made audit-policy-file flag independent of CIS profile flag #1419
• Custom resource requests/limits, extra binds, and extra env for control plane static pod components #1463

The --profile flag will continue to set things up in an opinionated way, but if you want to move things on your own you can do that using custom policy file and log paths.

[nikkelma]

The configuration options I'm seeing don't allow the API server to target outputting to something like /var/log/kubernetes/audit.log - I was looking at master though, is this possible in a specific release version and I'm missing it?

[brandond]

The extra binds stuff doesn't allow it? You could bind /var/log/audit into the apiserver pod and then target wherever you mounted that in the pod for the audit log file.

[nikkelma]

Ohh ok sorry just putting pieces together - you're suggesting to make an extra mount that points filepath.Join(s.DataDir, "server/logs/audit.log") in the container to /var/log/audit/kubernetes/ on the host so the API server's /var/lib/rancher/rke2/server/logs/audit.log file writes out to /var/log/audit/kubernetes/audit.log? That's complex but makes sense, any possibility the filename could be changed? I could see something like /var/log/audit/kubernetes.log could be needed but need to defer to @mddamato on detailed, concrete use cases.

[brandond]

I think there is some Rancher log collection stuff that expects the current path and name, so changing the default would be difficult.

I think we're on the same page, but yeah I was suggesting using the extra mounts for the apiserver to mount /var/log/audit somewhere in the apiserver pod (at a path of your choosing) and then adding your own audit logging configuration via --kube-apiserver-arg to instruct the apiserver to store audit logs at your custom path. I am not sure what selinux will think of these changes though, you might have to tinker with that a bit as well if you put things in places the policy doesn't expect.