diff --git a/.github/workflows/lint-and-test.yml b/.github/workflows/lint-and-test.yml index be1a9a4e..a7972396 100644 --- a/.github/workflows/lint-and-test.yml +++ b/.github/workflows/lint-and-test.yml @@ -53,20 +53,3 @@ jobs: - name: Run chart-testing (lint) run: ct lint --config ct.yaml --lint-conf lintconf.yaml if: steps.list-changed.outputs.changed == 'true' - - - name: Create kind cluster - uses: helm/kind-action@v1.5.0 - if: steps.list-changed.outputs.changed == 'true' - #with: - # kubectl_version: v1.22.0 - - # Install Dependencies - - name: Install Required dependencies - if: steps.list-changed.outputs.changed == 'true' - run: | - kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml - kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml - - - name: Run chart-testing (install) - run: ct install --config ct.yaml - if: steps.list-changed.outputs.changed == 'true' diff --git a/charts/vcluster/Chart.yaml b/charts/vcluster/Chart.yaml index b3a39dd2..fe741fcf 100644 --- a/charts/vcluster/Chart.yaml +++ b/charts/vcluster/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: vcluster description: Virtual Kubernetes Cluster type: application -version: 0.5.7 +version: 0.6.0 appVersion: 0.1.0 keywords: - vcluster diff --git a/charts/vcluster/README.md b/charts/vcluster/README.md index 42389133..2cb33be1 100644 --- a/charts/vcluster/README.md +++ b/charts/vcluster/README.md @@ -2,7 +2,7 @@ __This Chart is under active development! We try to improve documentation and values consistency over time__ -![Version: 0.5.7](https://img.shields.io/badge/Version-0.5.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Virtual Kubernetes Cluster @@ -410,6 +410,14 @@ Deploys [Kubernetes API Server](https://kubernetes.io/docs/reference/command-lin | kubernetes.apiServer.affinity | object | `{}` | Affinity | | kubernetes.apiServer.annotations | object | `{}` | Annotations for Workload | | kubernetes.apiServer.args | object | `{}` | Extra arguments for the kube-apiserver | +| kubernetes.apiServer.audit.enabled | bool | `false` | Enable Audit Log | +| kubernetes.apiServer.audit.maxAge | string | `"7"` | Defines the maximum number of days to retain old audit log files | +| kubernetes.apiServer.audit.maxBackup | string | `"2"` | Defines the maximum number of audit log files to retain | +| kubernetes.apiServer.audit.maxSize | string | `"100"` | Defines the maximum size in megabytes of the audit log file before it gets rotated | +| kubernetes.apiServer.audit.policy | string | `"# Log all requests at the Metadata level.\napiVersion: audit.k8s.io/v1\nkind: Policy\nrules:\n - level: Metadata\n"` | Audit Policy | +| kubernetes.apiServer.audit.truncateEnabled | bool | `false` | Whether event and batch truncating is enabled | +| kubernetes.apiServer.audit.truncateMaxBatchSize | string | `"10485760"` | Maximum size in bytes of the batch sent to the underlying backend | +| kubernetes.apiServer.audit.truncateMaxEventSize | string | `"102400"` | Maximum size in bytes of the audit event sent to the underlying backend | | kubernetes.apiServer.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler | | kubernetes.apiServer.autoscaling.maxReplicas | int | `5` | Maximum available Replicas | | kubernetes.apiServer.autoscaling.minReplicas | int | `1` | Minimum available Replicas | diff --git a/charts/vcluster/templates/components/kubernetes/apiserver/deployment.yaml b/charts/vcluster/templates/components/kubernetes/apiserver/deployment.yaml index ad80d905..82613e80 100644 --- a/charts/vcluster/templates/components/kubernetes/apiserver/deployment.yaml +++ b/charts/vcluster/templates/components/kubernetes/apiserver/deployment.yaml @@ -111,6 +111,18 @@ spec: - --advertise-address={{ . }} {{- end }} {{- end }} + {{- if $kubernetes.apiServer.audit.enabled }} + - --audit-policy-file=/etc/kubernetes/audit/policy.yaml + - --audit-log-path=/var/log/kubernetes/audit/audit.log + - --audit-log-maxage={{ $kubernetes.apiServer.audit.maxAge | int }} + - --audit-log-maxbackup={{ $kubernetes.apiServer.audit.maxBackup | int }} + - --audit-log-maxsize={{ $kubernetes.apiServer.audit.maxSize | int }} + {{- if $kubernetes.apiServer.audit.truncateEnabled }} + - --audit-log-truncate-enabled={{ $kubernetes.apiServer.audit.truncateEnabled }} + - --audit-log-truncate-max-batch-size={{ $kubernetes.apiServer.audit.truncateMaxBatchSize | int }} + - --audit-log-truncate-max-event-size={{ $kubernetes.apiServer.audit.truncateMaxEventSize | int }} + {{- end }} + {{- end }} {{- with $kubernetes.apiServer.args }} {{- include "pkg.utils.args" (dict "args" . "ctx" $) | nindent 8 }} {{- end }} @@ -171,6 +183,14 @@ spec: name: konnectivity-uds {{- end }} {{- end }} + {{- if $kubernetes.apiServer.audit.enabled }} + - mountPath: /etc/kubernetes/audit/ + name: audit + readOnly: true + - mountPath: /var/log/kubernetes/audit/ + name: audit-log + readOnly: false + {{- end }} {{- with $kubernetes.apiServer.volumeMounts }} {{- toYaml . | nindent 8 }} {{- end }} @@ -207,6 +227,15 @@ spec: {{- include "kubernetes.konnectivityServer.volumes" $ | nindent 6 }} {{- end }} {{- end }} + {{- if $kubernetes.apiServer.audit.enabled }} + - configMap: + name: "{{ $fullName }}-audit-policy" + name: audit + - name: audit-log + hostPath: + path: /var/log/kubernetes/audit/ + type: DirectoryOrCreate + {{- end }} {{- with $kubernetes.apiServer.volumes }} {{- toYaml . | nindent 6 }} {{- end }} diff --git a/charts/vcluster/templates/components/kubernetes/apiserver/policy.yaml b/charts/vcluster/templates/components/kubernetes/apiserver/policy.yaml new file mode 100644 index 00000000..4e8f36c8 --- /dev/null +++ b/charts/vcluster/templates/components/kubernetes/apiserver/policy.yaml @@ -0,0 +1,18 @@ +{{- if (include "kubernetes.enabled" $) -}} + {{- $kubernetes := $.Values.kubernetes -}} + {{- if and $kubernetes.apiServer.enabled $kubernetes.apiServer.audit.enabled -}} + {{- $fullName := include "kubernetes.fullname" . -}} + {{- $component_name := "apiserver" -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $fullName }}-audit-policy + labels: {{- include "kubernetes.labels" $ | nindent 4 }} + {{ include "pkg.common.labels.component" $ }}: {{ $component_name }} + namespace: {{ $.Release.Namespace }} +data: + policy.yaml: | + {{- $kubernetes.apiServer.audit.policy | nindent 4 }} + {{- end -}} +{{- end -}} diff --git a/charts/vcluster/values.yaml b/charts/vcluster/values.yaml index 7fd0d91e..19b262fb 100644 --- a/charts/vcluster/values.yaml +++ b/charts/vcluster/values.yaml @@ -998,7 +998,6 @@ osm: # -- Benchmark Memory Usage targetMemoryUtilizationPercentage: - # ---------------------------- # Kubernetes Component # ---------------------------- @@ -1453,6 +1452,32 @@ kubernetes: # -- Assign additional Annotations annotations: {} + # API Server Audit Configuration + audit: + # -- Enable Audit Log + enabled: false + + # -- Defines the maximum number of days to retain old audit log files + maxAge: "7" + # -- Defines the maximum number of audit log files to retain + maxBackup: "2" + # -- Defines the maximum size in megabytes of the audit log file before it gets rotated + maxSize: "100" + # -- Whether event and batch truncating is enabled + truncateEnabled: false + # -- Maximum size in bytes of the batch sent to the underlying backend + truncateMaxBatchSize: "10485760" + # -- Maximum size in bytes of the audit event sent to the underlying backend + truncateMaxEventSize: "102400" + + # -- Audit Policy + policy: | + # Log all requests at the Metadata level. + apiVersion: audit.k8s.io/v1 + kind: Policy + rules: + - level: Metadata + controllerManager: # -- Enable Kubernetes Controller-Manager enabled: true