From f233b7f9b38eec3c97ad8a2686340b929de9d82e Mon Sep 17 00:00:00 2001 From: Ben Luddy Date: Tue, 25 Oct 2022 17:33:32 -0400 Subject: [PATCH] Enable kube-apiserver audit logging. --- pkg/cmd/run.go | 2 -- pkg/config/config.go | 19 +++++-------- pkg/config/config_test.go | 44 +++++++++++++------------------ pkg/controllers/kube-apiserver.go | 4 ++- 4 files changed, 28 insertions(+), 41 deletions(-) diff --git a/pkg/cmd/run.go b/pkg/cmd/run.go index c14b1aab2e..e817cefc61 100644 --- a/pkg/cmd/run.go +++ b/pkg/cmd/run.go @@ -37,7 +37,6 @@ func addRunFlags(cmd *cobra.Command, cfg *config.MicroshiftConfig) { cmd.MarkFlagFilename("config", "yaml", "yml") // All other flags will be read after reading both config file and env vars. flags.String("data-dir", cfg.DataDir, "The directory for storing runtime data.") - flags.String("audit-log-dir", cfg.AuditLogDir, "The directory for storing audit logs.") flags.StringSlice("roles", cfg.Roles, "The roles of this MicroShift instance.") flags.String("node-name", cfg.NodeName, "The hostname of the node.") flags.String("node-ip", cfg.NodeIP, "The IP address of the node.") @@ -93,7 +92,6 @@ func RunMicroshift(cfg *config.MicroshiftConfig, flags *pflag.FlagSet) error { } os.MkdirAll(cfg.DataDir, 0700) - os.MkdirAll(cfg.AuditLogDir, 0700) // TODO: change to only initialize what is strictly necessary for the selected role(s) if _, err := os.Stat(filepath.Join(cfg.DataDir, "certs")); errors.Is(err, os.ErrNotExist) { diff --git a/pkg/config/config.go b/pkg/config/config.go index 1f5bc8bcf0..e5abe49934 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -56,8 +56,7 @@ type MicroshiftConfig struct { ConfigFile string `json:"configFile"` DataDir string `json:"dataDir"` - AuditLogDir string `json:"auditLogDir"` - LogVLevel int `json:"logVLevel"` + LogVLevel int `json:"logVLevel"` Roles []string `json:"roles"` @@ -101,13 +100,12 @@ func NewMicroshiftConfig() *MicroshiftConfig { defaultRoles := make([]string, len(validRoles)) copy(defaultRoles, validRoles) return &MicroshiftConfig{ - ConfigFile: findConfigFile(), - DataDir: dataDir, - AuditLogDir: "", - LogVLevel: 0, - Roles: defaultRoles, - NodeName: nodeName, - NodeIP: nodeIP, + ConfigFile: findConfigFile(), + DataDir: dataDir, + LogVLevel: 0, + Roles: defaultRoles, + NodeName: nodeName, + NodeIP: nodeIP, Cluster: ClusterConfig{ URL: "https://127.0.0.1:6443", ClusterCIDR: "10.42.0.0/16", @@ -221,9 +219,6 @@ func (c *MicroshiftConfig) ReadFromCmdLine(flags *pflag.FlagSet) error { // if the defaults are present, rebuild based on the new data-dir c.updateManifestList() } - if s, err := flags.GetString("audit-log-dir"); err == nil && flags.Changed("audit-log-dir") { - c.AuditLogDir = s - } if f := flags.Lookup("v"); f != nil && flags.Changed("v") { c.LogVLevel, _ = strconv.Atoi(f.Value.String()) } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index ff2cec2cc9..4dc29e1507 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -39,13 +39,12 @@ func TestCommandLineConfig(t *testing.T) { }{ { config: &MicroshiftConfig{ - ConfigFile: "/path/to/config.yaml", - DataDir: "/tmp/microshift/data", - AuditLogDir: "/tmp/microshift/logs", - LogVLevel: 4, - Roles: []string{"controlplane", "node"}, - NodeName: "node1", - NodeIP: "1.2.3.4", + ConfigFile: "/path/to/config.yaml", + DataDir: "/tmp/microshift/data", + LogVLevel: 4, + Roles: []string{"controlplane", "node"}, + NodeName: "node1", + NodeIP: "1.2.3.4", Cluster: ClusterConfig{ URL: "https://1.2.3.4:6443", ClusterCIDR: "10.20.30.40/16", @@ -72,7 +71,6 @@ func TestCommandLineConfig(t *testing.T) { flags.StringVar(&config.ConfigFile, "config", config.ConfigFile, "File to read configuration from.") // all other flags unbound (looked up by name) and defaulted flags.String("data-dir", config.DataDir, "") - flags.String("audit-log-dir", config.AuditLogDir, "") flags.Int("v", config.LogVLevel, "") flags.StringSlice("roles", config.Roles, "") flags.String("node-name", config.NodeName, "") @@ -91,7 +89,6 @@ func TestCommandLineConfig(t *testing.T) { err = flags.Parse([]string{ "--config=" + tt.config.ConfigFile, "--data-dir=" + tt.config.DataDir, - "--audit-log-dir=" + tt.config.AuditLogDir, "--v=" + strconv.Itoa(tt.config.LogVLevel), "--roles=" + strings.Join(tt.config.Roles, ","), "--node-name=" + tt.config.NodeName, @@ -133,13 +130,12 @@ func TestEnvironmentVariableConfig(t *testing.T) { }{ { desiredMicroShiftConfig: &MicroshiftConfig{ - ConfigFile: "/to/config/file", - DataDir: "/tmp/microshift/data", - AuditLogDir: "/tmp/microshift/logs", - LogVLevel: 23, - Roles: []string{"controlplane", "node"}, - NodeName: "node1", - NodeIP: "1.2.3.4", + ConfigFile: "/to/config/file", + DataDir: "/tmp/microshift/data", + LogVLevel: 23, + Roles: []string{"controlplane", "node"}, + NodeName: "node1", + NodeIP: "1.2.3.4", Cluster: ClusterConfig{ URL: "https://cluster.com:4343/endpoint", ClusterCIDR: "10.20.30.40/16", @@ -158,7 +154,6 @@ func TestEnvironmentVariableConfig(t *testing.T) { }{ {"MICROSHIFT_CONFIGFILE", "/to/config/file"}, {"MICROSHIFT_DATADIR", "/tmp/microshift/data"}, - {"MICROSHIFT_AUDITLOGDIR", "/tmp/microshift/logs"}, {"MICROSHIFT_LOGVLEVEL", "23"}, {"MICROSHIFT_ROLES", "controlplane,node"}, {"MICROSHIFT_NODENAME", "node1"}, @@ -174,13 +169,12 @@ func TestEnvironmentVariableConfig(t *testing.T) { }, { desiredMicroShiftConfig: &MicroshiftConfig{ - ConfigFile: "/to/config/file", - DataDir: "/tmp/microshift/data", - AuditLogDir: "/tmp/microshift/logs", - LogVLevel: 23, - Roles: []string{"controlplane", "node"}, - NodeName: "node1", - NodeIP: "1.2.3.4", + ConfigFile: "/to/config/file", + DataDir: "/tmp/microshift/data", + LogVLevel: 23, + Roles: []string{"controlplane", "node"}, + NodeName: "node1", + NodeIP: "1.2.3.4", Cluster: ClusterConfig{ URL: "https://cluster.com:4343/endpoint", ClusterCIDR: "10.20.30.40/16", @@ -199,7 +193,6 @@ func TestEnvironmentVariableConfig(t *testing.T) { }{ {"MICROSHIFT_CONFIGFILE", "/to/config/file"}, {"MICROSHIFT_DATADIR", "/tmp/microshift/data"}, - {"MICROSHIFT_AUDITLOGDIR", "/tmp/microshift/logs"}, {"MICROSHIFT_LOGVLEVEL", "23"}, {"MICROSHIFT_ROLES", "controlplane,node"}, {"MICROSHIFT_NODENAME", "node1"}, @@ -237,7 +230,6 @@ func TestEnvironmentVariableConfig(t *testing.T) { func TestMicroshiftConfigReadAndValidate(t *testing.T) { flags := pflag.NewFlagSet("test", pflag.ContinueOnError) flags.String("data-dir", "", "") - flags.String("audit-log-dir", "", "") flags.Int("v", 0, "") flags.StringSlice("roles", []string{}, "") diff --git a/pkg/controllers/kube-apiserver.go b/pkg/controllers/kube-apiserver.go index ef74aeec57..cf4d253c5d 100644 --- a/pkg/controllers/kube-apiserver.go +++ b/pkg/controllers/kube-apiserver.go @@ -113,7 +113,6 @@ func (s *KubeAPIServer) configure(cfg *config.MicroshiftConfig) error { overrides := &kubecontrolplanev1.KubeAPIServerConfig{ APIServerArguments: map[string]kubecontrolplanev1.Arguments{ "advertise-address": {cfg.NodeIP}, - "audit-log-path": {cfg.AuditLogDir}, "audit-policy-file": {cfg.DataDir + "/resources/kube-apiserver-audit-policies/default.yaml"}, "client-ca-file": {clientCABundlePath}, "etcd-cafile": {ultimateTrustCACertFile}, @@ -319,6 +318,9 @@ func (s *KubeAPIServer) Run(ctx context.Context, ready chan<- struct{}, stopped return err } + // audit logs go here + os.MkdirAll("/var/log/kube-apiserver", 0700) + // Carrying a patch for NewAPIServerCommand to use cmd.Context().Done() as the stop channel // instead of the channel returned by SetupSignalHandler, which expects to be called at most // once in a process.