Skip to content

Instantly share code, notes, and snippets.

@jimangel

jimangel/README.md

Last active April 24, 2024 19:13
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save jimangel/f899a734ad780340ac9aa682333bba30 to your computer and use it in GitHub Desktop.
Save jimangel/f899a734ad780340ac9aa682333bba30 to your computer and use it in GitHub Desktop.
Download ZIP
Enable audit logging on a kind cluster
Raw
README.md

Enable auditing on KinD

TODO

  • Use a webhook vs. file backend (maybe cloudrun?)
  • This might only be possible if Docker is running as root - need to test

Config

Make a temporary directory to host files to be mounted in KinD.

mkdir -p /tmp/api/

Create an audit-policy.yaml file.

cat <<EOF > /tmp/api/audit-policy.yaml
# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
EOF

Create an kind-config.yaml file.

cat <<EOF > kind-config.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
  PodSecurity: true
nodes:
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    apiServer:
        extraArgs:
          audit-log-path: /etc/kubernetes/audit/audit.log
          audit-policy-file: /etc/kubernetes/audit/audit-policy.yaml
        extraVolumes:
          - name: audit-policy
            hostPath: /etc/kubernetes/audit
            mountPath: /etc/kubernetes/audit
            readOnly: false
            pathType: "DirectoryOrCreate"
  extraMounts:
  - hostPath: /tmp/api/
    containerPath: /etc/kubernetes/audit
    readOnly: false
    selinuxRelabel: false
    propagation: None
EOF

Validate your directory is clean.

$ ls -lah /tmp/api/
total 12K
drwxrwxr-x  2 jangel jangel 4.0K Aug 20 02:05 .
drwxrwxrwt 14 root   root   4.0K Aug 20 02:09 ..
-rw-rw-r--  1 jangel jangel  108 Aug 20 01:49 audit-policy.yaml

Launch your cluster!

kind create cluster --image=kindest/node:v1.22.0@sha256:b8bda84bb3a190e6e028b1760d277454a72267a5454b57db34437c34a588d047 --config kind-config.yaml

Output looks similar to:

Creating cluster "kind" ...
 βœ“ Ensuring node image (kindest/node:v1.22.0) πŸ–Ό
 βœ“ Preparing nodes πŸ“¦
 βœ“ Writing configuration πŸ“œ
 βœ“ Starting control-plane πŸ•ΉοΈ
 βœ“ Installing CNI πŸ”Œ
 βœ“ Installing StorageClass πŸ’Ύ
Set kubectl context to "kind-kind"
You can now use your cluster with:

kubectl cluster-info --context kind-kind

Not sure what to do next? πŸ˜…  Check out https://kind.sigs.k8s.io/docs/user/quick-start/

Once complete, let's check out those audit logs!

sudo cat /tmp/api/audit.log
@nycnewman
Copy link

Just a reminder for those attempting this on a Mac that the file and the directory need to be created in the container and not on the host. For example using podman, this would be in the podman machine.

@guettli
Copy link

guettli commented Apr 5, 2024

BTW, there are "official" docs about how to enable audit logs: https://kind.sigs.k8s.io/docs/user/auditing/

@krol3
Copy link

krol3 commented Apr 24, 2024
edited

Thanks @jimangel , by the way using the latest version 1.28 it's not working, but using 1.22 it seems working cc @guettli. Here my test images:

  • working: kindest/node:v1.27.11@sha256:681253009e68069b8e01aad36a1e0fa8cf18bb0ab3e5c4069b2e65cafdd70843
  • error : kindest/node:v1.28.7@sha256:9bc6c451a289cf96ad0bbaf33d416901de6fd632415b076ab05f5fa7e4f65c58-
  • error : kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245

@guettli
Copy link

guettli commented Apr 24, 2024

@krol3 please elaborate why 1.28 is not working. What kind of error are you getting?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment