Task weight: 7%

Use context: kubectl config use-context infra-prod

Audit Logging has been enabled in the cluster with an Audit Policy located at /etc/kubernetes/audit/policy.yaml on cluster2-controlplane1 .

Change the configuration so that only one backup of the logs is stored.

Alter the Policy in a way that it only stores logs:

  • From Secret resources, level Metadata
  • From “system:nodes” userGroups, level RequestResponse

After you altered the Policy make sure to empty the log file so it only contains entries according to your changes, like using truncate -s 0 /etc/kubernetes/audit/logs/audit.log .

译文

任务权重: 7%

使用环境: kubectl config use-context infra-prod

审计日志已经在集群中启用,审计策略位于 /etc/kubernetes/audit/policy.yaml ,在 cluster2-controlplane1 上。

改变配置,使日志只有一个备份被存储。

改变策略的方式,使其只存储日志。

  • 从秘密资源,更改 Metadata
  • 从 “system:nodes “用户组,更改 RequestResponse。 更改策略后,确保清空日志文件,使其只包含与你的更改有关的条目,如使用 truncate -s 0 /etc/kubernetes/audit/logs/udit.log

你可以使用jq来使json更加可读. cat data.json | jq

解答

检查apiserver 配置文件并进行更改

ssh cluster2-controlplane1

cp /etc/kubernetes/manifests/kube-apiserver.yaml ~/17_kube-apiserver.yaml
vim /etc/kubernetes/manifests/kube-apiserver.yaml
# /etc/kubernetes/manifests/kube-apiserver.yaml 
apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.100.21:6443
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --audit-policy-file=/etc/kubernetes/audit/policy.yaml
    - --audit-log-path=/etc/kubernetes/audit/logs/audit.log
    - --audit-log-maxsize=5
    - --audit-log-maxbackup=1                                    # 更改
    - --advertise-address=192.168.100.21
    - --allow-privileged=true
...
vim /etc/kubernetes/audit/policy.yaml
# /etc/kubernetes/audit/policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

添加相关内容

# /etc/kubernetes/audit/policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:

# log Secret resources audits, level Metadata
- level: Metadata
  resources:
  - group: ""
    resources: ["secrets"]

# log node related audits, level RequestResponse
- level: RequestResponse
  userGroups: ["system:nodes"]

# for everything else don't log anything
- level: None

重启api-server 并观察变化

cd /etc/kubernetes/manifests/

mv kube-apiserver.yaml ..
watch crictl ps # 等待apiserver就绪
truncate -s 0 /etc/kubernetes/audit/logs/audit.log #写日志
mv ../kube-apiserver.yaml .

jq格式化查看

cat audit.log | tail | jq
# 显示 secret
cat audit.log | grep '"resource":"secrets"' | wc -l

# metadata级别 secret
cat audit.log | grep '"resource":"secrets"' | grep -v '"level":"Metadata"' | wc -l

# RequestResponse
cat audit.log | grep -v '"level":"RequestResponse"' | wc -l

# 仅显示 system:nodes 的 RequestResponse
cat audit.log | grep '"level":"RequestResponse"' | grep -v "system:nodes" | wc -l