题目
Task 在 cluster 中启用审计日志。为此,请启用日志后端,并确保: 日志存储在 /var/log/kubernetes/audit-logs.txt 日志文件能保留 10 天 最多保留 2 个旧审计日志文件 /etc/kubernetes/logpolicy/sample-policy.yaml 提供了基本策略。它仅指定不记录的内容。 注意:基本策略位于 cluster 的 master 节点上。 编辑和扩展基本策略以记录: RequestResponse 级别的 persistentvolumes 更改 namespace front-apps 中 configmaps 更改的请求体 Metadata 级别的所有 namespace 中的 ConfigMap 和 Secret 的更改 此外,添加一个全方位的规则以在 Metadata 级别记录所有其他请求。 注意:不要忘记应用修改后的策略。
kube-apiserver.yaml选项解释:
- -audit-policy-file 指定审计策略文件
- -audit-log-path 指定用来写入审计事件的日志文件路径。不指定此标志会禁用日志后端。
- -audit-log-maxage 定义保留旧审计日志文件的最大天数
- -audit-log-maxbackup 定义要保留的审计日志文件的最大数量
- -audit-log-maxsize 定义审计日志文件轮转之前的最大大小(兆字节)
更多见参考
环境搭建
命令
mkdir -p /etc/kubernetes/logpolicy/ vim /etc/kubernetes/logpolicy/sample-policy.yaml
内容
apiVersion: audit.k8s.io/v1 kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages: - "RequestReceived" rules: # Don't log watch requests by the "system:kube-proxy" on endpoints or services - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" # core API group resources: ["endpoints", "services"] # Don't log authenticated requests to certain non-resource URL paths. - level: None userGroups: ["system:authenticated"] nonResourceURLs: - "/api*" # Wildcard matching. - "/version" # Please do not delete the above rule content, you can continue add it below.
解题
命令
vim /etc/kubernetes/logpolicy/sample-policy.yaml
内容
apiVersion: audit.k8s.io/v1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages: - "RequestReceived" rules: # Don't log watch requests by the "system:kube-proxy" on endpoints or services - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" # core API group resources: ["endpoints", "services"] # Don't log authenticated requests to certain non-resource URL paths. - level: None userGroups: ["system:authenticated"] nonResourceURLs: - "/api*" # Wildcard matching. - "/version" # Please do not delete the above rule content, you can continue add it below. # Log pod changes at RequestResponse level - level: RequestResponse resources: - group: "" resources: ["persistentvolumes"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata resources: - group: "" resources: ["secrets", "configmaps"] # Log the request body of configmap changes in kube-system. - level: Request resources: - group: "" # core API group resources: ["configmaps"] namespaces: ["front-apps"] # A catch-all rule to log all other requests at the Metadata level. - level: Metadata # Long-running requests like watches that fall under this rule will not # generate an audit event in RequestReceived. omitStages: - "RequestReceived"
截图
修改kube-apiserverl.yaml配置文件
命令
vim /etc/kubernetes/manifests/kube-apiserver.yaml
添加以下四个启动项
- --audit-log-path=/var/log/kubernetes/audit-logs.txt - --audit-policy-file=/etc/kubernetes/logpolicy/sample-policy.yaml - --audit-log-maxage=10 - --audit-log-maxbackup=2
截图
截图
重启kubelet
命令
systemctl daemon-reload systemctl restart kubelet
截图
模拟题
