Task weight: 7%
Use context: kubectl config use-context infra-prod
Audit Logging has been enabled in the cluster with an Audit Policy located at /etc/kubernetes/audit/policy.yaml on cluster2-controlplane1.
Change the configuration so that only one backup of the logs is stored.
Alter the Policy in a way that it only stores logs:
- From Secret resources, level Metadata
- From "system:nodes" userGroups, level RequestResponse
After you altered the Policy make sure to empty the log file so it only contains entries according to your changes, like using truncate -s 0 /etc/kubernetes/audit/logs/audit.log.
译文
任务权重: 7%
使用环境: kubectl config use-context infra-prod
审计日志已经在集群中启用,审计策略位于 /etc/kubernetes/audit/policy.yaml,在 cluster2-controlplane1 上。
改变配置,使日志只有一个备份被存储。
改变策略的方式,使其只存储日志。
- 从秘密资源,更改 Metadata
- 从 "system:nodes "用户组,更改 RequestResponse。
更改策略后,确保清空日志文件,使其只包含与你的更改有关的条目,如使用truncate -s 0 /etc/kubernetes/audit/logs/udit.log。
你可以使用jq来使json更加可读. cat data.json | jq
解答
检查apiserver 配置文件并进行更改
ssh cluster2-controlplane1
cp /etc/kubernetes/manifests/kube-apiserver.yaml ~/17_kube-apiserver.yaml
vim /etc/kubernetes/manifests/kube-apiserver.yaml# /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.100.21:6443
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --audit-policy-file=/etc/kubernetes/audit/policy.yaml
- --audit-log-path=/etc/kubernetes/audit/logs/audit.log
- --audit-log-maxsize=5
- --audit-log-maxbackup=1 # 更改
- --advertise-address=192.168.100.21
- --allow-privileged=true
...vim /etc/kubernetes/audit/policy.yaml# /etc/kubernetes/audit/policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata添加相关内容
# /etc/kubernetes/audit/policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# log Secret resources audits, level Metadata
- level: Metadata
resources:
- group: ""
resources: ["secrets"]
# log node related audits, level RequestResponse
- level: RequestResponse
userGroups: ["system:nodes"]
# for everything else don't log anything
- level: None重启api-server 并观察变化
cd /etc/kubernetes/manifests/
mv kube-apiserver.yaml ..
watch crictl ps # 等待apiserver就绪
truncate -s 0 /etc/kubernetes/audit/logs/audit.log #写日志
mv ../kube-apiserver.yaml .jq格式化查看
cat audit.log | tail | jq# 显示 secret
cat audit.log | grep '"resource":"secrets"' | wc -l
# metadata级别 secret
cat audit.log | grep '"resource":"secrets"' | grep -v '"level":"Metadata"' | wc -l
# RequestResponse
cat audit.log | grep -v '"level":"RequestResponse"' | wc -l
# 仅显示 system:nodes 的 RequestResponse
cat audit.log | grep '"level":"RequestResponse"' | grep -v "system:nodes" | wc -l