Skip to content

Instantly share code, notes, and snippets.

@mauilion
Last active Sep 14, 2021
Embed
What would you like to do?
kind audit
# https://www.outcoldsolutions.com/docs/monitoring-kubernetes/v4/audit/
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# Do not log from kube-system accounts
- level: None
userGroups:
- system:serviceaccounts:kube-system
- level: None
users:
- system:apiserver
- system:kube-scheduler
- system:volume-scheduler
- system:kube-controller-manager
- system:node
# Do not log from collector
- level: None
users:
- system:serviceaccount:collectorforkubernetes:collectorforkubernetes
# Don't log nodes communications
- level: None
userGroups:
- system:nodes
# Don't log these read-only URLs.
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
# Log configmap and secret changes in all namespaces at the metadata level.
- level: Metadata
resources:
- resources: ["secrets", "configmaps"]
# We want to catch a little more then outcoldsolutions specified ;)
- level: RequestResponse
omitStages:
- RequestReceived
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
PodSecurity: true
nodes:
- role: control-plane
extraMounts:
- containerPath: /etc/kubernetes/policies/adv-audit.yaml
hostPath: ./adv-audit.yaml
readOnly: true
- role: worker
kubeadmConfigPatches:
- |
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
metadata:
name: config
apiServer:
extraArgs:
audit-policy-file: "/etc/kubernetes/policies/adv-audit.yaml"
audit-log-path: "/var/log/kubernetes/kube-apiserver-audit.log"
audit-log-format: "json"
extraVolumes:
- name: "audit-policies"
hostPath: "/etc/kubernetes/policies"
mountPath: "/etc/kubernetes/policies"
readOnly: true
pathType: DirectoryOrCreate
- name: "audit-logs"
hostPath: "/var/log/kubernetes"
mountPath: "/var/log/kubernetes"
readOnly: false
pathType: DirectoryOrCreate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment