commit
364ab2a6b7
|
@ -163,6 +163,9 @@ helm_deployment_type: host
|
||||||
# K8s image pull policy (imagePullPolicy)
|
# K8s image pull policy (imagePullPolicy)
|
||||||
k8s_image_pull_policy: IfNotPresent
|
k8s_image_pull_policy: IfNotPresent
|
||||||
|
|
||||||
|
# audit log for kubernetes
|
||||||
|
kubernetes_audit: false
|
||||||
|
|
||||||
# Kubernetes dashboard
|
# Kubernetes dashboard
|
||||||
# RBAC required. see docs/getting-started.md for access details.
|
# RBAC required. see docs/getting-started.md for access details.
|
||||||
dashboard_enabled: true
|
dashboard_enabled: true
|
||||||
|
|
|
@ -24,6 +24,29 @@ kube_apiserver_storage_backend: etcd3
|
||||||
# By default, force back to etcd2. Set to true to force etcd3 (experimental!)
|
# By default, force back to etcd2. Set to true to force etcd3 (experimental!)
|
||||||
force_etcd3: false
|
force_etcd3: false
|
||||||
|
|
||||||
|
# audit support
|
||||||
|
kubernetes_audit: false
|
||||||
|
audit_log_path: /var/log/audit/kube-apiserver-audit.log
|
||||||
|
# num days
|
||||||
|
audit_log_maxage: 30
|
||||||
|
# the num of audit logs to retain
|
||||||
|
audit_log_maxbackups: 1
|
||||||
|
# the max size in MB to retain
|
||||||
|
audit_log_maxsize: 100
|
||||||
|
# policy file
|
||||||
|
audit_policy_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
|
||||||
|
|
||||||
|
# audit log hostpath
|
||||||
|
audit_log_name: audit-logs
|
||||||
|
audit_log_hostpath: /var/log/kubernetes/audit
|
||||||
|
audit_log_mountpath: /var/log/audit
|
||||||
|
audit_log_writable: true
|
||||||
|
|
||||||
|
# audit policy hostpath
|
||||||
|
audit_policy_name: audit-policy
|
||||||
|
audit_policy_hostpath: /etc/kubernetes/audit-policy
|
||||||
|
audit_policy_mountpath: "{{ audit_policy_hostpath }}"
|
||||||
|
|
||||||
# Limits for kube components
|
# Limits for kube components
|
||||||
kube_controller_memory_limit: 512M
|
kube_controller_memory_limit: 512M
|
||||||
kube_controller_cpu_limit: 250m
|
kube_controller_cpu_limit: 250m
|
||||||
|
|
|
@ -65,6 +65,16 @@
|
||||||
command: "cp -TR {{ etcd_cert_dir }} {{ kube_config_dir }}/ssl/etcd"
|
command: "cp -TR {{ etcd_cert_dir }} {{ kube_config_dir }}/ssl/etcd"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Create audit-policy directory
|
||||||
|
file: path={{ kube_config_dir }}/audit-policy state=directory
|
||||||
|
when: kubernetes_audit|default(false)
|
||||||
|
|
||||||
|
- name: Write api audit policy yaml
|
||||||
|
template:
|
||||||
|
src: apiserver-audit-policy.yaml.j2
|
||||||
|
dest: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
|
||||||
|
when: kubernetes_audit|default(false)
|
||||||
|
|
||||||
- name: gets the kubeadm version
|
- name: gets the kubeadm version
|
||||||
command: "{{ bin_dir }}/kubeadm version -o short"
|
command: "{{ bin_dir }}/kubeadm version -o short"
|
||||||
register: kubeadm_output
|
register: kubeadm_output
|
||||||
|
|
|
@ -1,4 +1,19 @@
|
||||||
---
|
---
|
||||||
|
- name: Create audit-policy directory
|
||||||
|
file: path={{ kube_config_dir }}/audit-policy state=directory
|
||||||
|
tags:
|
||||||
|
- kube-apiserver
|
||||||
|
when: kubernetes_audit|default(false)
|
||||||
|
|
||||||
|
- name: Write api audit policy yaml
|
||||||
|
template:
|
||||||
|
src: apiserver-audit-policy.yaml.j2
|
||||||
|
dest: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
|
||||||
|
notify: Master | Restart apiserver
|
||||||
|
tags:
|
||||||
|
- kube-apiserver
|
||||||
|
when: kubernetes_audit|default(false)
|
||||||
|
|
||||||
- name: Write kube-apiserver manifest
|
- name: Write kube-apiserver manifest
|
||||||
template:
|
template:
|
||||||
src: manifests/kube-apiserver.manifest.j2
|
src: manifests/kube-apiserver.manifest.j2
|
||||||
|
|
|
@ -0,0 +1,125 @@
|
||||||
|
apiVersion: audit.k8s.io/v1beta1
|
||||||
|
kind: Policy
|
||||||
|
rules:
|
||||||
|
# The following requests were manually identified as high-volume and low-risk,
|
||||||
|
# so drop them.
|
||||||
|
- level: None
|
||||||
|
users: ["system:kube-proxy"]
|
||||||
|
verbs: ["watch"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["endpoints", "services", "services/status"]
|
||||||
|
- level: None
|
||||||
|
# Ingress controller reads `configmaps/ingress-uid` through the unsecured port.
|
||||||
|
# TODO(#46983): Change this to the ingress controller service account.
|
||||||
|
users: ["system:unsecured"]
|
||||||
|
namespaces: ["kube-system"]
|
||||||
|
verbs: ["get"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["configmaps"]
|
||||||
|
- level: None
|
||||||
|
users: ["kubelet"] # legacy kubelet identity
|
||||||
|
verbs: ["get"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["nodes", "nodes/status"]
|
||||||
|
- level: None
|
||||||
|
userGroups: ["system:nodes"]
|
||||||
|
verbs: ["get"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["nodes", "nodes/status"]
|
||||||
|
- level: None
|
||||||
|
users:
|
||||||
|
- system:kube-controller-manager
|
||||||
|
- system:kube-scheduler
|
||||||
|
- system:serviceaccount:kube-system:endpoint-controller
|
||||||
|
verbs: ["get", "update"]
|
||||||
|
namespaces: ["kube-system"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["endpoints"]
|
||||||
|
- level: None
|
||||||
|
users: ["system:apiserver"]
|
||||||
|
verbs: ["get"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
|
||||||
|
# Don't log HPA fetching metrics.
|
||||||
|
- level: None
|
||||||
|
users:
|
||||||
|
- system:kube-controller-manager
|
||||||
|
verbs: ["get", "list"]
|
||||||
|
resources:
|
||||||
|
- group: "metrics.k8s.io"
|
||||||
|
# Don't log these read-only URLs.
|
||||||
|
- level: None
|
||||||
|
nonResourceURLs:
|
||||||
|
- /healthz*
|
||||||
|
- /version
|
||||||
|
- /swagger*
|
||||||
|
# Don't log events requests.
|
||||||
|
- level: None
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["events"]
|
||||||
|
# Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
|
||||||
|
# so only log at the Metadata level.
|
||||||
|
- level: Metadata
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["secrets", "configmaps"]
|
||||||
|
- group: authentication.k8s.io
|
||||||
|
resources: ["tokenreviews"]
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
# Get responses can be large; skip them.
|
||||||
|
- level: Request
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
- group: "admissionregistration.k8s.io"
|
||||||
|
- group: "apiextensions.k8s.io"
|
||||||
|
- group: "apiregistration.k8s.io"
|
||||||
|
- group: "apps"
|
||||||
|
- group: "authentication.k8s.io"
|
||||||
|
- group: "authorization.k8s.io"
|
||||||
|
- group: "autoscaling"
|
||||||
|
- group: "batch"
|
||||||
|
- group: "certificates.k8s.io"
|
||||||
|
- group: "extensions"
|
||||||
|
- group: "metrics.k8s.io"
|
||||||
|
- group: "networking.k8s.io"
|
||||||
|
- group: "policy"
|
||||||
|
- group: "rbac.authorization.k8s.io"
|
||||||
|
- group: "settings.k8s.io"
|
||||||
|
- group: "storage.k8s.io"
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
# Default level for known APIs
|
||||||
|
- level: RequestResponse
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
- group: "admissionregistration.k8s.io"
|
||||||
|
- group: "apiextensions.k8s.io"
|
||||||
|
- group: "apiregistration.k8s.io"
|
||||||
|
- group: "apps"
|
||||||
|
- group: "authentication.k8s.io"
|
||||||
|
- group: "authorization.k8s.io"
|
||||||
|
- group: "autoscaling"
|
||||||
|
- group: "batch"
|
||||||
|
- group: "certificates.k8s.io"
|
||||||
|
- group: "extensions"
|
||||||
|
- group: "metrics.k8s.io"
|
||||||
|
- group: "networking.k8s.io"
|
||||||
|
- group: "policy"
|
||||||
|
- group: "rbac.authorization.k8s.io"
|
||||||
|
- group: "settings.k8s.io"
|
||||||
|
- group: "storage.k8s.io"
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
# Default level for all other requests.
|
||||||
|
- level: Metadata
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
|
@ -12,6 +12,12 @@ etcd:
|
||||||
caFile: {{ kube_config_dir }}/ssl/etcd/ca.pem
|
caFile: {{ kube_config_dir }}/ssl/etcd/ca.pem
|
||||||
certFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}.pem
|
certFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}.pem
|
||||||
keyFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}-key.pem
|
keyFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}-key.pem
|
||||||
|
{% if kubernetes_audit %}
|
||||||
|
auditPolicy:
|
||||||
|
logDir: {{ audit_log_path }}
|
||||||
|
logMaxAge: {{ audit_log_maxage }}
|
||||||
|
path: {{ audit_policy_file }}
|
||||||
|
{% endif %}
|
||||||
networking:
|
networking:
|
||||||
dnsDomain: {{ dns_domain }}
|
dnsDomain: {{ dns_domain }}
|
||||||
serviceSubnet: {{ kube_service_addresses }}
|
serviceSubnet: {{ kube_service_addresses }}
|
||||||
|
@ -82,6 +88,12 @@ controllerManagerExtraArgs:
|
||||||
node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
|
node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
|
||||||
node-monitor-period: {{ kube_controller_node_monitor_period }}
|
node-monitor-period: {{ kube_controller_node_monitor_period }}
|
||||||
pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
|
pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
|
||||||
|
{% if kubernetes_audit %}
|
||||||
|
apiServerExtraVolumes:
|
||||||
|
- name: {{ audit_policy_name }}
|
||||||
|
hostPath: {{ audit_policy_hostpath }}
|
||||||
|
mountPath: {{ audit_policy_mountpath }}
|
||||||
|
{% endif %}
|
||||||
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
|
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
|
||||||
controllerManagerExtraVolumes:
|
controllerManagerExtraVolumes:
|
||||||
- name: openstackcacert
|
- name: openstackcacert
|
||||||
|
@ -113,3 +125,7 @@ nodeRegistration:
|
||||||
taints:
|
taints:
|
||||||
- effect: NoSchedule
|
- effect: NoSchedule
|
||||||
key: node-role.kubernetes.io/master
|
key: node-role.kubernetes.io/master
|
||||||
|
{% if kubernetes_audit %}
|
||||||
|
featureGates:
|
||||||
|
Auditing: true
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -28,6 +28,13 @@ spec:
|
||||||
command:
|
command:
|
||||||
- /hyperkube
|
- /hyperkube
|
||||||
- apiserver
|
- apiserver
|
||||||
|
{% if kubernetes_audit %}
|
||||||
|
- --audit-log-path={{ audit_log_path }}
|
||||||
|
- --audit-log-maxage={{ audit_log_maxage }}
|
||||||
|
- --audit-log-maxbackup={{ audit_log_maxbackups }}
|
||||||
|
- --audit-log-maxsize={{ audit_log_maxsize }}
|
||||||
|
- --audit-policy-file={{ audit_policy_file }}
|
||||||
|
{% endif %}
|
||||||
- --advertise-address={{ ip | default(ansible_default_ipv4.address) }}
|
- --advertise-address={{ ip | default(ansible_default_ipv4.address) }}
|
||||||
- --etcd-servers={{ etcd_access_addresses }}
|
- --etcd-servers={{ etcd_access_addresses }}
|
||||||
{% if etcd_events_cluster_enabled %}
|
{% if etcd_events_cluster_enabled %}
|
||||||
|
@ -184,6 +191,14 @@ spec:
|
||||||
- mountPath: /etc/ssl/certs/ca-bundle.crt
|
- mountPath: /etc/ssl/certs/ca-bundle.crt
|
||||||
name: rhel-ca-bundle
|
name: rhel-ca-bundle
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{% endif %}
|
||||||
|
{% if kubernetes_audit %}
|
||||||
|
- mountPath: {{ audit_log_mountpath }}
|
||||||
|
name: {{ audit_log_name }}
|
||||||
|
Writable: true
|
||||||
|
- mountPath: {{ audit_policy_mountpath }}
|
||||||
|
name: {{ audit_policy_name }}
|
||||||
|
Writable: true
|
||||||
{% endif %}
|
{% endif %}
|
||||||
volumes:
|
volumes:
|
||||||
- hostPath:
|
- hostPath:
|
||||||
|
@ -205,3 +220,11 @@ spec:
|
||||||
path: /etc/ssl/certs/ca-bundle.crt
|
path: /etc/ssl/certs/ca-bundle.crt
|
||||||
name: rhel-ca-bundle
|
name: rhel-ca-bundle
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if kubernetes_audit %}
|
||||||
|
- hostPath:
|
||||||
|
path: {{ audit_log_hostpath }}
|
||||||
|
name: {{ audit_log_name }}
|
||||||
|
- hostPath:
|
||||||
|
path: {{ audit_policy_hostpath }}
|
||||||
|
name: {{ audit_policy_name }}
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -9,5 +9,6 @@ startup_script: ""
|
||||||
kube_network_plugin: weave
|
kube_network_plugin: weave
|
||||||
kubeadm_enabled: true
|
kubeadm_enabled: true
|
||||||
deploy_netchecker: true
|
deploy_netchecker: true
|
||||||
|
kubernetes_audit: true
|
||||||
kubedns_min_replicas: 1
|
kubedns_min_replicas: 1
|
||||||
cloud_provider: gce
|
cloud_provider: gce
|
||||||
|
|
|
@ -8,6 +8,7 @@ mode: ha
|
||||||
kube_network_plugin: flannel
|
kube_network_plugin: flannel
|
||||||
helm_enabled: true
|
helm_enabled: true
|
||||||
efk_enabled: true
|
efk_enabled: true
|
||||||
|
kubernetes_audit: true
|
||||||
etcd_events_cluster_setup: true
|
etcd_events_cluster_setup: true
|
||||||
local_volume_provisioner_enabled: true
|
local_volume_provisioner_enabled: true
|
||||||
etcd_deployment_type: host
|
etcd_deployment_type: host
|
||||||
|
|
Loading…
Reference in New Issue