Skip to content

Commit

Permalink
Merge pull request #133 from adberger/master
Browse files Browse the repository at this point in the history
[vcluster]: Add audit feature to apiserver
  • Loading branch information
adberger authored Oct 7, 2024
2 parents 8342aa7 + e9bf266 commit 708ecbb
Show file tree
Hide file tree
Showing 6 changed files with 83 additions and 20 deletions.
17 changes: 0 additions & 17 deletions .github/workflows/lint-and-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,20 +53,3 @@ jobs:
- name: Run chart-testing (lint)
run: ct lint --config ct.yaml --lint-conf lintconf.yaml
if: steps.list-changed.outputs.changed == 'true'

- name: Create kind cluster
uses: helm/[email protected]
if: steps.list-changed.outputs.changed == 'true'
#with:
# kubectl_version: v1.22.0

# Install Dependencies
- name: Install Required dependencies
if: steps.list-changed.outputs.changed == 'true'
run: |
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml
kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
- name: Run chart-testing (install)
run: ct install --config ct.yaml
if: steps.list-changed.outputs.changed == 'true'
2 changes: 1 addition & 1 deletion charts/vcluster/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: vcluster
description: Virtual Kubernetes Cluster
type: application
version: 0.5.7
version: 0.6.0
appVersion: 0.1.0
keywords:
- vcluster
Expand Down
10 changes: 9 additions & 1 deletion charts/vcluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

__This Chart is under active development! We try to improve documentation and values consistency over time__

![Version: 0.5.7](https://img.shields.io/badge/Version-0.5.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

Virtual Kubernetes Cluster

Expand Down Expand Up @@ -410,6 +410,14 @@ Deploys [Kubernetes API Server](https://kubernetes.io/docs/reference/command-lin
| kubernetes.apiServer.affinity | object | `{}` | Affinity |
| kubernetes.apiServer.annotations | object | `{}` | Annotations for Workload |
| kubernetes.apiServer.args | object | `{}` | Extra arguments for the kube-apiserver |
| kubernetes.apiServer.audit.enabled | bool | `false` | Enable Audit Log |
| kubernetes.apiServer.audit.maxAge | string | `"7"` | Defines the maximum number of days to retain old audit log files |
| kubernetes.apiServer.audit.maxBackup | string | `"2"` | Defines the maximum number of audit log files to retain |
| kubernetes.apiServer.audit.maxSize | string | `"100"` | Defines the maximum size in megabytes of the audit log file before it gets rotated |
| kubernetes.apiServer.audit.policy | string | `"# Log all requests at the Metadata level.\napiVersion: audit.k8s.io/v1\nkind: Policy\nrules:\n - level: Metadata\n"` | Audit Policy |
| kubernetes.apiServer.audit.truncateEnabled | bool | `false` | Whether event and batch truncating is enabled |
| kubernetes.apiServer.audit.truncateMaxBatchSize | string | `"10485760"` | Maximum size in bytes of the batch sent to the underlying backend |
| kubernetes.apiServer.audit.truncateMaxEventSize | string | `"102400"` | Maximum size in bytes of the audit event sent to the underlying backend |
| kubernetes.apiServer.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler |
| kubernetes.apiServer.autoscaling.maxReplicas | int | `5` | Maximum available Replicas |
| kubernetes.apiServer.autoscaling.minReplicas | int | `1` | Minimum available Replicas |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,18 @@ spec:
- --advertise-address={{ . }}
{{- end }}
{{- end }}
{{- if $kubernetes.apiServer.audit.enabled }}
- --audit-policy-file=/etc/kubernetes/audit/policy.yaml
- --audit-log-path=/var/log/kubernetes/audit/audit.log
- --audit-log-maxage={{ $kubernetes.apiServer.audit.maxAge | int }}
- --audit-log-maxbackup={{ $kubernetes.apiServer.audit.maxBackup | int }}
- --audit-log-maxsize={{ $kubernetes.apiServer.audit.maxSize | int }}
{{- if $kubernetes.apiServer.audit.truncateEnabled }}
- --audit-log-truncate-enabled={{ $kubernetes.apiServer.audit.truncateEnabled }}
- --audit-log-truncate-max-batch-size={{ $kubernetes.apiServer.audit.truncateMaxBatchSize | int }}
- --audit-log-truncate-max-event-size={{ $kubernetes.apiServer.audit.truncateMaxEventSize | int }}
{{- end }}
{{- end }}
{{- with $kubernetes.apiServer.args }}
{{- include "pkg.utils.args" (dict "args" . "ctx" $) | nindent 8 }}
{{- end }}
Expand Down Expand Up @@ -171,6 +183,14 @@ spec:
name: konnectivity-uds
{{- end }}
{{- end }}
{{- if $kubernetes.apiServer.audit.enabled }}
- mountPath: /etc/kubernetes/audit/
name: audit
readOnly: true
- mountPath: /var/log/kubernetes/audit/
name: audit-log
readOnly: false
{{- end }}
{{- with $kubernetes.apiServer.volumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
Expand Down Expand Up @@ -207,6 +227,15 @@ spec:
{{- include "kubernetes.konnectivityServer.volumes" $ | nindent 6 }}
{{- end }}
{{- end }}
{{- if $kubernetes.apiServer.audit.enabled }}
- configMap:
name: "{{ $fullName }}-audit-policy"
name: audit
- name: audit-log
hostPath:
path: /var/log/kubernetes/audit/
type: DirectoryOrCreate
{{- end }}
{{- with $kubernetes.apiServer.volumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if (include "kubernetes.enabled" $) -}}
{{- $kubernetes := $.Values.kubernetes -}}
{{- if and $kubernetes.apiServer.enabled $kubernetes.apiServer.audit.enabled -}}
{{- $fullName := include "kubernetes.fullname" . -}}
{{- $component_name := "apiserver" -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $fullName }}-audit-policy
labels: {{- include "kubernetes.labels" $ | nindent 4 }}
{{ include "pkg.common.labels.component" $ }}: {{ $component_name }}
namespace: {{ $.Release.Namespace }}
data:
policy.yaml: |
{{- $kubernetes.apiServer.audit.policy | nindent 4 }}
{{- end -}}
{{- end -}}
27 changes: 26 additions & 1 deletion charts/vcluster/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -998,7 +998,6 @@ osm:
# -- Benchmark Memory Usage
targetMemoryUtilizationPercentage:


# ----------------------------
# Kubernetes Component
# ----------------------------
Expand Down Expand Up @@ -1453,6 +1452,32 @@ kubernetes:
# -- Assign additional Annotations
annotations: {}

# API Server Audit Configuration
audit:
# -- Enable Audit Log
enabled: false

# -- Defines the maximum number of days to retain old audit log files
maxAge: "7"
# -- Defines the maximum number of audit log files to retain
maxBackup: "2"
# -- Defines the maximum size in megabytes of the audit log file before it gets rotated
maxSize: "100"
# -- Whether event and batch truncating is enabled
truncateEnabled: false
# -- Maximum size in bytes of the batch sent to the underlying backend
truncateMaxBatchSize: "10485760"
# -- Maximum size in bytes of the audit event sent to the underlying backend
truncateMaxEventSize: "102400"

# -- Audit Policy
policy: |
# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
controllerManager:
# -- Enable Kubernetes Controller-Manager
enabled: true
Expand Down

0 comments on commit 708ecbb

Please sign in to comment.