mlbiam/vcluster-creation.yaml

## vcluster-creation.yaml
---
apiVersion: v1
kind: Namespace
metadata:
  name: vcluster-blog
spec: {}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: vcluster-audit-logs
  namespace: vcluster-blog
spec:
  storageClassName: "standard"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: k8s-audit-policy
  namespace: vcluster-blog
data:
  k8s-audit-policy.yaml: "apiVersion: audit.k8s.io/v1\r\nkind: Policy\r\nrules:\r\n  # The following requests were manually identified as high-volume and low-risk,\r\n  # so drop them.\r\n  - level: None\r\n    users: [\"system:kube-proxy\"]\r\n    verbs: [\"watch\"]\r\n    resources:\r\n      - group: \"\" # core\r\n        resources: [\"endpoints\", \"services\", \"services/status\"]\r\n  - level: None\r\n    # Ingress controller reads 'configmaps/ingress-uid' through the unsecured port.\r\n    # TODO(#46983): Change this to the ingress controller service account.\r\n    users: [\"system:unsecured\"]\r\n    namespaces: [\"kube-system\"]\r\n    verbs: [\"get\"]\r\n    resources:\r\n      - group: \"\" # core\r\n        resources: [\"configmaps\"]\r\n  - level: None\r\n    users: [\"kubelet\"] # legacy kubelet identity\r\n    verbs: [\"get\"]\r\n    resources:\r\n      - group: \"\" # core\r\n        resources: [\"nodes\", \"nodes/status\"]\r\n  - level: None\r\n    userGroups: [\"system:nodes\"]\r\n    verbs: [\"get\"]\r\n    resources:\r\n      - group: \"\" # core\r\n        resources: [\"nodes\", \"nodes/status\"]\r\n  - level: None\r\n    users:\r\n      - system:kube-controller-manager\r\n      - system:kube-scheduler\r\n      - system:serviceaccount:kube-system:endpoint-controller\r\n    verbs: [\"get\", \"update\"]\r\n    namespaces: [\"kube-system\"]\r\n    resources:\r\n      - group: \"\" # core\r\n        resources: [\"endpoints\"]\r\n  - level: None\r\n    users: [\"system:apiserver\"]\r\n    verbs: [\"get\"]\r\n    resources:\r\n      - group: \"\" # core\r\n        resources: [\"namespaces\", \"namespaces/status\", \"namespaces/finalize\"]\r\n  - level: None\r\n    users: [\"cluster-autoscaler\"]\r\n    verbs: [\"get\", \"update\"]\r\n    namespaces: [\"kube-system\"]\r\n    resources:\r\n      - group: \"\" # core\r\n        resources: [\"configmaps\", \"endpoints\"]\r\n  # Don't log HPA fetching metrics.\r\n  - level: None\r\n    users:\r\n      - system:kube-controller-manager\r\n    verbs: [\"get\", \"list\"]\r\n    resources:\r\n      - group: \"metrics.k8s.io\"\r\n\r\n  # Don't log these read-only URLs.\r\n  - level: None\r\n    nonResourceURLs:\r\n      - /healthz*\r\n      - /version\r\n      - /swagger*\r\n\r\n  # Don't log events requests.\r\n  - level: None\r\n    resources:\r\n      - group: \"\" # core\r\n        resources: [\"events\"]\r\n\r\n  # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes\r\n  - level: Request\r\n    users: [\"kubelet\", \"system:node-problem-detector\", \"system:serviceaccount:kube-system:node-problem-detector\"]\r\n    verbs: [\"update\",\"patch\"]\r\n    resources:\r\n      - group: \"\" # core\r\n        resources: [\"nodes/status\", \"pods/status\"]\r\n    omitStages:\r\n      - \"RequestReceived\"\r\n  - level: Request\r\n    userGroups: [\"system:nodes\"]\r\n    verbs: [\"update\",\"patch\"]\r\n    resources:\r\n      - group: \"\" # core\r\n        resources: [\"nodes/status\", \"pods/status\"]\r\n    omitStages:\r\n      - \"RequestReceived\"\r\n\r\n  # deletecollection calls can be large, don't log responses for expected namespace deletions\r\n  - level: Request\r\n    users: [\"system:serviceaccount:kube-system:namespace-controller\"]\r\n    verbs: [\"deletecollection\"]\r\n    omitStages:\r\n      - \"RequestReceived\"\r\n\r\n  # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,\r\n  # so only log at the Metadata level.\r\n  - level: Metadata\r\n    resources:\r\n      - group: \"\" # core\r\n        resources: [\"secrets\", \"configmaps\"]\r\n      - group: authentication.k8s.io\r\n        resources: [\"tokenreviews\"]\r\n    omitStages:\r\n      - \"RequestReceived\"\r\n  # Get repsonses can be large; skip them.\r\n  - level: Request\r\n    verbs: [\"get\", \"list\", \"watch\"]\r\n    resources:\r\n      - group: \"\" # core\r\n      - group: \"admissionregistration.k8s.io\"\r\n      - group: \"apiextensions.k8s.io\"\r\n      - group: \"apiregistration.k8s.io\"\r\n      - group: \"apps\"\r\n      - group: \"authentication.k8s.io\"\r\n      - group: \"authorization.k8s.io\"\r\n      - group: \"autoscaling\"\r\n      - group: \"batch\"\r\n      - group: \"certificates.k8s.io\"\r\n      - group: \"extensions\"\r\n      - group: \"metrics.k8s.io\"\r\n      - group: \"networking.k8s.io\"\r\n      - group: \"node.k8s.io\"\r\n      - group: \"policy\"\r\n      - group: \"rbac.authorization.k8s.io\"\r\n      - group: \"scheduling.k8s.io\"\r\n      - group: \"settings.k8s.io\"\r\n      - group: \"storage.k8s.io\"\r\n    omitStages:\r\n      - \"RequestReceived\"\r\n  # Default level for known APIs\r\n  - level: RequestResponse\r\n    resources:\r\n      - group: \"\" # core\r\n      - group: \"admissionregistration.k8s.io\"\r\n      - group: \"apiextensions.k8s.io\"\r\n      - group: \"apiregistration.k8s.io\"\r\n      - group: \"apps\"\r\n      - group: \"authentication.k8s.io\"\r\n      - group: \"authorization.k8s.io\"\r\n      - group: \"autoscaling\"\r\n      - group: \"batch\"\r\n      - group: \"certificates.k8s.io\"\r\n      - group: \"extensions\"\r\n      - group: \"metrics.k8s.io\"\r\n      - group: \"networking.k8s.io\"\r\n      - group: \"node.k8s.io\"\r\n      - group: \"policy\"\r\n      - group: \"rbac.authorization.k8s.io\"\r\n      - group: \"scheduling.k8s.io\"\r\n      - group: \"settings.k8s.io\"\r\n      - group: \"storage.k8s.io\"\r\n    omitStages:\r\n      - \"RequestReceived\"\r\n  # Default level for all other requests.\r\n  - level: Metadata\r\n    omitStages:\r\n      - \"RequestReceived\"\r\n"
---
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
  name: vcluster-blog
  namespace: vcluster-blog
spec:
  controlPlaneRef:
    apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
    kind: VCluster
    name: vcluster-blog
  infrastructureRef:
    apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
    kind: VCluster
    name: vcluster-blog
---
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
kind: VCluster
metadata:
  name: vcluster-blog
  namespace: vcluster-blog
spec:
  controlPlaneEndpoint:
    host: ""
    port: 0
  helmRelease:
    chart:
      name: null
      repo: null
      version: null
    values: |-
      volumes:
        - name: audit-policy-volume
          configMap:
            name: k8s-audit-policy
        - name: audit-log-data
          persistentVolumeClaim:
            claimName: vcluster-audit-logs
      vcluster:
        volumeMounts:
          # keep data volume mount!
          - mountPath: /data
            name: data
          - mountPath: /var/lib/rancher/k3s/server/log-config
            name: audit-policy-volume
          - mountPath: /var/lib/rancher/k3s/server/logs
            name: audit-log-data
        extraArgs:
          - "--kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'"
          - "--kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/log-config/k8s-audit-policy.yaml'"
  kubernetesVersion: 1.23.0
	---
	apiVersion: v1
	kind: Namespace
	metadata:
	name: vcluster-blog
	spec: {}
	---
	apiVersion: v1
	kind: PersistentVolumeClaim
	metadata:
	name: vcluster-audit-logs
	namespace: vcluster-blog
	spec:
	storageClassName: "standard"
	accessModes:
	- ReadWriteOnce
	resources:
	requests:
	storage: 1Gi
	---
	kind: ConfigMap
	apiVersion: v1
	metadata:
	name: k8s-audit-policy
	namespace: vcluster-blog
	data:
	k8s-audit-policy.yaml: "apiVersion: audit.k8s.io/v1\r\nkind: Policy\r\nrules:\r\n # The following requests were manually identified as high-volume and low-risk,\r\n # so drop them.\r\n - level: None\r\n users: [\"system:kube-proxy\"]\r\n verbs: [\"watch\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"endpoints\", \"services\", \"services/status\"]\r\n - level: None\r\n # Ingress controller reads 'configmaps/ingress-uid' through the unsecured port.\r\n # TODO(#46983): Change this to the ingress controller service account.\r\n users: [\"system:unsecured\"]\r\n namespaces: [\"kube-system\"]\r\n verbs: [\"get\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"configmaps\"]\r\n - level: None\r\n users: [\"kubelet\"] # legacy kubelet identity\r\n verbs: [\"get\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"nodes\", \"nodes/status\"]\r\n - level: None\r\n userGroups: [\"system:nodes\"]\r\n verbs: [\"get\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"nodes\", \"nodes/status\"]\r\n - level: None\r\n users:\r\n - system:kube-controller-manager\r\n - system:kube-scheduler\r\n - system:serviceaccount:kube-system:endpoint-controller\r\n verbs: [\"get\", \"update\"]\r\n namespaces: [\"kube-system\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"endpoints\"]\r\n - level: None\r\n users: [\"system:apiserver\"]\r\n verbs: [\"get\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"namespaces\", \"namespaces/status\", \"namespaces/finalize\"]\r\n - level: None\r\n users: [\"cluster-autoscaler\"]\r\n verbs: [\"get\", \"update\"]\r\n namespaces: [\"kube-system\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"configmaps\", \"endpoints\"]\r\n # Don't log HPA fetching metrics.\r\n - level: None\r\n users:\r\n - system:kube-controller-manager\r\n verbs: [\"get\", \"list\"]\r\n resources:\r\n - group: \"metrics.k8s.io\"\r\n\r\n # Don't log these read-only URLs.\r\n - level: None\r\n nonResourceURLs:\r\n - /healthz\r\n - /version\r\n - /swagger\r\n\r\n # Don't log events requests.\r\n - level: None\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"events\"]\r\n\r\n # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes\r\n - level: Request\r\n users: [\"kubelet\", \"system:node-problem-detector\", \"system:serviceaccount:kube-system:node-problem-detector\"]\r\n verbs: [\"update\",\"patch\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"nodes/status\", \"pods/status\"]\r\n omitStages:\r\n - \"RequestReceived\"\r\n - level: Request\r\n userGroups: [\"system:nodes\"]\r\n verbs: [\"update\",\"patch\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"nodes/status\", \"pods/status\"]\r\n omitStages:\r\n - \"RequestReceived\"\r\n\r\n # deletecollection calls can be large, don't log responses for expected namespace deletions\r\n - level: Request\r\n users: [\"system:serviceaccount:kube-system:namespace-controller\"]\r\n verbs: [\"deletecollection\"]\r\n omitStages:\r\n - \"RequestReceived\"\r\n\r\n # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,\r\n # so only log at the Metadata level.\r\n - level: Metadata\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"secrets\", \"configmaps\"]\r\n - group: authentication.k8s.io\r\n resources: [\"tokenreviews\"]\r\n omitStages:\r\n - \"RequestReceived\"\r\n # Get repsonses can be large; skip them.\r\n - level: Request\r\n verbs: [\"get\", \"list\", \"watch\"]\r\n resources:\r\n - group: \"\" # core\r\n - group: \"admissionregistration.k8s.io\"\r\n - group: \"apiextensions.k8s.io\"\r\n - group: \"apiregistration.k8s.io\"\r\n - group: \"apps\"\r\n - group: \"authentication.k8s.io\"\r\n - group: \"authorization.k8s.io\"\r\n - group: \"autoscaling\"\r\n - group: \"batch\"\r\n - group: \"certificates.k8s.io\"\r\n - group: \"extensions\"\r\n - group: \"metrics.k8s.io\"\r\n - group: \"networking.k8s.io\"\r\n - group: \"node.k8s.io\"\r\n - group: \"policy\"\r\n - group: \"rbac.authorization.k8s.io\"\r\n - group: \"scheduling.k8s.io\"\r\n - group: \"settings.k8s.io\"\r\n - group: \"storage.k8s.io\"\r\n omitStages:\r\n - \"RequestReceived\"\r\n # Default level for known APIs\r\n - level: RequestResponse\r\n resources:\r\n - group: \"\" # core\r\n - group: \"admissionregistration.k8s.io\"\r\n - group: \"apiextensions.k8s.io\"\r\n - group: \"apiregistration.k8s.io\"\r\n - group: \"apps\"\r\n - group: \"authentication.k8s.io\"\r\n - group: \"authorization.k8s.io\"\r\n - group: \"autoscaling\"\r\n - group: \"batch\"\r\n - group: \"certificates.k8s.io\"\r\n - group: \"extensions\"\r\n - group: \"metrics.k8s.io\"\r\n - group: \"networking.k8s.io\"\r\n - group: \"node.k8s.io\"\r\n - group: \"policy\"\r\n - group: \"rbac.authorization.k8s.io\"\r\n - group: \"scheduling.k8s.io\"\r\n - group: \"settings.k8s.io\"\r\n - group: \"storage.k8s.io\"\r\n omitStages:\r\n - \"RequestReceived\"\r\n # Default level for all other requests.\r\n - level: Metadata\r\n omitStages:\r\n - \"RequestReceived\"\r\n"
	---
	apiVersion: cluster.x-k8s.io/v1beta1
	kind: Cluster
	metadata:
	name: vcluster-blog
	namespace: vcluster-blog
	spec:
	controlPlaneRef:
	apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
	kind: VCluster
	name: vcluster-blog
	infrastructureRef:
	apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
	kind: VCluster
	name: vcluster-blog
	---
	apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
	kind: VCluster
	metadata:
	name: vcluster-blog
	namespace: vcluster-blog
	spec:
	controlPlaneEndpoint:
	host: ""
	port: 0
	helmRelease:
	chart:
	name: null
	repo: null
	version: null
	values: \|-
	volumes:
	- name: audit-policy-volume
	configMap:
	name: k8s-audit-policy
	- name: audit-log-data
	persistentVolumeClaim:
	claimName: vcluster-audit-logs
	vcluster:
	volumeMounts:
	# keep data volume mount!
	- mountPath: /data
	name: data
	- mountPath: /var/lib/rancher/k3s/server/log-config
	name: audit-policy-volume
	- mountPath: /var/lib/rancher/k3s/server/logs
	name: audit-log-data
	extraArgs:
	- "--kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'"
	- "--kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/log-config/k8s-audit-policy.yaml'"
	kubernetesVersion: 1.23.0