Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding auditing docs #2431

Merged
merged 1 commit into from
Sep 24, 2021
Merged

adding auditing docs #2431

merged 1 commit into from
Sep 24, 2021

Conversation

jimangel
Copy link
Member

@jimangel jimangel commented Aug 21, 2021
edited
Loading

Inspired by this twitter post, it didn't seem like audit logging was possible in KinD.

The PR introduces a solution that leverages KinD's use of kubeadm to configure auditing for general testing. I also removed the GA roadmap item to avoid further confusion.

Preview: https://deploy-preview-2431--k8s-kind.netlify.app/docs/user/auditing/

Note: The site uses navigation weights 1-4 for ordering and most tutorials are of weight 3. I used 3, but considering it's sorted alphabetically that puts this guide at the top. We might consider changing the weight to 4 to move the bottom; as it's a more advanced use of kind. (I just used 4 to move it to the bottom).

/cc @BenTheElder

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 21, 2021
@tao12345666333
Copy link
Member

cool!

I also made an example before https://github.com/tao12345666333/practical-kubernetes/tree/main/audit

@jimangel jimangel force-pushed the adding-auditing-docs branch from 4e3b2e5 to 7d40a91 Compare September 14, 2021 21:08
@jimangel jimangel force-pushed the adding-auditing-docs branch from 7d40a91 to 3dd2342 Compare September 14, 2021 21:17
aojea
aojea reviewed Sep 23, 2021
View reviewed changes
site/content/docs/user/auditing.md
extraArgs:
audit-log-path: /var/log/kubernetes/kube-apiserver-audit.log
audit-policy-file: /etc/kubernetes/policies/audit-policy.yaml
# mount new files / directories on the control plane
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these things always cause confusion, maybe we should add something more specific indicating "this happens in the kind node" and in extraMounts "this happens in your host"

aojea
aojea reviewed Sep 23, 2021
View reviewed changes
site/content/docs/user/auditing.md
docker exec kind-control-plane cat /var/log/kubernetes/kube-apiserver-audit.log
{{< /codeFromInline >}}

## Troubleshooting
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

@aojea
Copy link
Contributor

aojea commented Sep 23, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 23, 2021
tao12345666333
tao12345666333 reviewed Sep 23, 2021
View reviewed changes
Copy link
Member

@tao12345666333 tao12345666333 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@PushkarJ PushkarJ mentioned this pull request Sep 23, 2021
Merged
@aojea
Copy link
Contributor

aojea commented Sep 24, 2021

/approve

Thanks

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea, jimangel

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 24, 2021
meowrison
meowrison reviewed Sep 24, 2021
View reviewed changes
site/content/docs/user/auditing.md
Comment on lines +61 to +70
- name: audit-policies
hostPath: /etc/kubernetes/policies
mountPath: /etc/kubernetes/policies
readOnly: true
pathType: "DirectoryOrCreate"
- name: "audit-logs"
hostPath: "/var/log/kubernetes"
mountPath: "/var/log/kubernetes"
readOnly: false
pathType: DirectoryOrCreate
Copy link

@meowrison meowrison Sep 24, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kind of a nit: There is inconsistent value definition conventions here, some quoted some not. This may be confusing to some. Awesome to see this overall!

@k8s-ci-robot k8s-ci-robot merged commit 8efc370 into kubernetes-sigs:main Sep 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@meowrison meowrison meowrison left review comments

@aojea aojea aojea left review comments

@tao12345666333 tao12345666333 tao12345666333 left review comments

@BenTheElder BenTheElder Awaiting requested review from BenTheElder

Assignees

@tao12345666333 tao12345666333

@aojea aojea

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jimangel @tao12345666333 @aojea @k8s-ci-robot @meowrison