commit
0df969ad19
|
@ -26,6 +26,7 @@ force_etcd3: false
|
||||||
|
|
||||||
# audit support
|
# audit support
|
||||||
kubernetes_audit: false
|
kubernetes_audit: false
|
||||||
|
# audit_log_path must not be set to "-" with kubeadm as it only handles a logfile named audit.log
|
||||||
audit_log_path: /var/log/audit/kube-apiserver-audit.log
|
audit_log_path: /var/log/audit/kube-apiserver-audit.log
|
||||||
# num days
|
# num days
|
||||||
audit_log_maxage: 30
|
audit_log_maxage: 30
|
||||||
|
@ -39,12 +40,11 @@ audit_policy_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.ya
|
||||||
# audit log hostpath
|
# audit log hostpath
|
||||||
audit_log_name: audit-logs
|
audit_log_name: audit-logs
|
||||||
audit_log_hostpath: /var/log/kubernetes/audit
|
audit_log_hostpath: /var/log/kubernetes/audit
|
||||||
audit_log_mountpath: /var/log/audit
|
audit_log_mountpath: "{{ audit_log_path | dirname }}"
|
||||||
audit_log_writable: true
|
|
||||||
|
|
||||||
# audit policy hostpath
|
# audit policy hostpath
|
||||||
audit_policy_name: audit-policy
|
audit_policy_name: audit-policy
|
||||||
audit_policy_hostpath: /etc/kubernetes/audit-policy
|
audit_policy_hostpath: "{{ audit_policy_file | dirname }}"
|
||||||
audit_policy_mountpath: "{{ audit_policy_hostpath }}"
|
audit_policy_mountpath: "{{ audit_policy_hostpath }}"
|
||||||
|
|
||||||
# Limits for kube components
|
# Limits for kube components
|
||||||
|
|
|
@ -66,13 +66,15 @@
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
- name: Create audit-policy directory
|
- name: Create audit-policy directory
|
||||||
file: path={{ kube_config_dir }}/audit-policy state=directory
|
file:
|
||||||
|
path: "{{ audit_policy_file | dirname }}"
|
||||||
|
state: directory
|
||||||
when: kubernetes_audit|default(false)
|
when: kubernetes_audit|default(false)
|
||||||
|
|
||||||
- name: Write api audit policy yaml
|
- name: Write api audit policy yaml
|
||||||
template:
|
template:
|
||||||
src: apiserver-audit-policy.yaml.j2
|
src: apiserver-audit-policy.yaml.j2
|
||||||
dest: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
|
dest: "{{ audit_policy_file }}"
|
||||||
when: kubernetes_audit|default(false)
|
when: kubernetes_audit|default(false)
|
||||||
|
|
||||||
- name: gets the kubeadm version
|
- name: gets the kubeadm version
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
---
|
---
|
||||||
- name: Create audit-policy directory
|
- name: Create audit-policy directory
|
||||||
file: path={{ kube_config_dir }}/audit-policy state=directory
|
file:
|
||||||
|
path: "{{ audit_policy_file | dirname }}"
|
||||||
|
state: directory
|
||||||
tags:
|
tags:
|
||||||
- kube-apiserver
|
- kube-apiserver
|
||||||
when: kubernetes_audit|default(false)
|
when: kubernetes_audit|default(false)
|
||||||
|
@ -8,7 +10,7 @@
|
||||||
- name: Write api audit policy yaml
|
- name: Write api audit policy yaml
|
||||||
template:
|
template:
|
||||||
src: apiserver-audit-policy.yaml.j2
|
src: apiserver-audit-policy.yaml.j2
|
||||||
dest: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
|
dest: "{{ audit_policy_file }}"
|
||||||
notify: Master | Restart apiserver
|
notify: Master | Restart apiserver
|
||||||
tags:
|
tags:
|
||||||
- kube-apiserver
|
- kube-apiserver
|
||||||
|
|
|
@ -14,7 +14,7 @@ etcd:
|
||||||
keyFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}-key.pem
|
keyFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}-key.pem
|
||||||
{% if kubernetes_audit %}
|
{% if kubernetes_audit %}
|
||||||
auditPolicy:
|
auditPolicy:
|
||||||
logDir: {{ audit_log_path }}
|
logDir: {{ audit_log_hostpath }}
|
||||||
logMaxAge: {{ audit_log_maxage }}
|
logMaxAge: {{ audit_log_maxage }}
|
||||||
path: {{ audit_policy_file }}
|
path: {{ audit_policy_file }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -88,12 +88,6 @@ controllerManagerExtraArgs:
|
||||||
node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
|
node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
|
||||||
node-monitor-period: {{ kube_controller_node_monitor_period }}
|
node-monitor-period: {{ kube_controller_node_monitor_period }}
|
||||||
pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
|
pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
|
||||||
{% if kubernetes_audit %}
|
|
||||||
apiServerExtraVolumes:
|
|
||||||
- name: {{ audit_policy_name }}
|
|
||||||
hostPath: {{ audit_policy_hostpath }}
|
|
||||||
mountPath: {{ audit_policy_mountpath }}
|
|
||||||
{% endif %}
|
|
||||||
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
|
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
|
||||||
controllerManagerExtraVolumes:
|
controllerManagerExtraVolumes:
|
||||||
- name: openstackcacert
|
- name: openstackcacert
|
||||||
|
|
|
@ -193,12 +193,13 @@ spec:
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if kubernetes_audit %}
|
{% if kubernetes_audit %}
|
||||||
|
{% if audit_log_path != "-" %}
|
||||||
- mountPath: {{ audit_log_mountpath }}
|
- mountPath: {{ audit_log_mountpath }}
|
||||||
name: {{ audit_log_name }}
|
name: {{ audit_log_name }}
|
||||||
Writable: true
|
Writable: true
|
||||||
|
{% endif %}
|
||||||
- mountPath: {{ audit_policy_mountpath }}
|
- mountPath: {{ audit_policy_mountpath }}
|
||||||
name: {{ audit_policy_name }}
|
name: {{ audit_policy_name }}
|
||||||
Writable: true
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
volumes:
|
volumes:
|
||||||
- hostPath:
|
- hostPath:
|
||||||
|
@ -221,9 +222,11 @@ spec:
|
||||||
name: rhel-ca-bundle
|
name: rhel-ca-bundle
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if kubernetes_audit %}
|
{% if kubernetes_audit %}
|
||||||
|
{% if audit_log_path != "-" %}
|
||||||
- hostPath:
|
- hostPath:
|
||||||
path: {{ audit_log_hostpath }}
|
path: {{ audit_log_hostpath }}
|
||||||
name: {{ audit_log_name }}
|
name: {{ audit_log_name }}
|
||||||
|
{% endif %}
|
||||||
- hostPath:
|
- hostPath:
|
||||||
path: {{ audit_policy_hostpath }}
|
path: {{ audit_policy_hostpath }}
|
||||||
name: {{ audit_policy_name }}
|
name: {{ audit_policy_name }}
|
||||||
|
|
Loading…
Reference in New Issue