Skip to content

API-1449: Enable kube-apiserver audit logging. #1051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 1 commit into from
Oct 26, 2022
Merged

API-1449: Enable kube-apiserver audit logging. #1051

openshift-merge-robot merged 1 commit into from
Oct 26, 2022

Conversation

@benluddy
Copy link
Contributor

@benluddy benluddy commented Oct 25, 2022

Audit logs from kube-apiserver are used in virtually every support engagement with the API team, so they're useful to enable out-of-the-box. I've also removed the audit log path config field, instead using the same path used by OpenShift (under /var/log).

@openshift-ci openshift-ci bot requested review from sallyom and stlaz October 25, 2022 21:42
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 25, 2022
@benluddy
Copy link
Contributor Author

benluddy commented Oct 25, 2022

/assign @fzdarsky

Frank, any objection to this change? KAS rotates and truncates its own audit logs, so we should not expect to see problems with disk space exhaustion.

@dinhxuanvu dinhxuanvu mentioned this pull request Oct 25, 2022
Closed
dhellmann
dhellmann reviewed Oct 26, 2022
View reviewed changes
Copy link
Contributor

@dhellmann dhellmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see how this removes the configuration option. I don't see how it ensures that the audit logs are written out. Is that a default behavior that doesn't need to be enabled? Is it because the output directory is now being created? Or am I missing something in reading the changes?

pkg/cmd/run.go
cmd.MarkFlagFilename("config", "yaml", "yml")
// All other flags will be read after reading both config file and env vars.
flags.String("data-dir", cfg.DataDir, "The directory for storing runtime data.")
flags.String("audit-log-dir", cfg.AuditLogDir, "The directory for storing audit logs.")
Copy link
Contributor

@dhellmann dhellmann Oct 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a sample configuration file in https://github.com/openshift/microshift/blob/main/packaging/microshift/config.yaml that has this config value, too. We can clean that up in a separate PR.

Copy link
Contributor Author

@benluddy benluddy Oct 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Opened #1056.

@benluddy benluddy mentioned this pull request Oct 26, 2022
Merged
@benluddy
Copy link
Contributor Author

benluddy commented Oct 26, 2022

@dhellmann Specifying an audit log path in itself enables audit logging (https://github.com/benluddy/microshift/blob/f233b7f9b38eec3c97ad8a2686340b929de9d82e/vendor/k8s.io/apiserver/pkg/server/options/audit.go#L501-L503). I've also manually verified that, with this change, audit logs are written to /var/log/kube-apiserver/audit.log.

dhellmann
dhellmann reviewed Oct 26, 2022
View reviewed changes
@dhellmann
Copy link
Contributor

dhellmann commented Oct 26, 2022

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 26, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 26, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benluddy, dhellmann

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@benluddy
Copy link
Contributor Author

benluddy commented Oct 26, 2022

/test e2e-openshift-conformance-sig-node

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 26, 2022

@benluddy: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/periodic-ocp-4.13-images f233b7f link true /test periodic-ocp-4.13-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot merged commit 7f10271 into openshift:main Oct 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhellmann dhellmann dhellmann left review comments

@sallyom sallyom Awaiting requested review from sallyom

@stlaz stlaz Awaiting requested review from stlaz

Assignees

@dhellmann dhellmann

@fzdarsky fzdarsky

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@benluddy @dhellmann @fzdarsky @openshift-merge-robot