From 07905d6ee82bd4d92d34cd8a6208f8ed6e50e127 Mon Sep 17 00:00:00 2001 From: Mik Vyatskov Date: Thu, 8 Mar 2018 14:05:33 +0100 Subject: [PATCH] Make log audit backend configurable in GCE Signed-off-by: Mik Vyatskov --- cluster/gce/config-test.sh | 1 + cluster/gce/gci/configure-helper.sh | 34 ++++++++++++++++++++++++++--- cluster/gce/util.sh | 8 +++++++ 3 files changed, 40 insertions(+), 3 deletions(-) diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index 12aaf1fca4..a287e62921 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -377,6 +377,7 @@ ENABLE_LEGACY_ABAC="${ENABLE_LEGACY_ABAC:-false}" # true, false # Enable a simple "AdvancedAuditing" setup for testing. ENABLE_APISERVER_ADVANCED_AUDIT="${ENABLE_APISERVER_ADVANCED_AUDIT:-true}" # true, false +ADVANCED_AUDIT_LOG_MODE="${ADVANCED_AUDIT_LOG_MODE:-batch}" # batch, blocking if [[ "${ENABLE_APISERVER_BASIC_AUDIT:-}" == "true" ]]; then echo "Warning: Basic audit logging is deprecated and will be removed. Please use advanced auditing instead." diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index ac2cdffb88..e22392ff02 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1515,6 +1515,29 @@ function start-kube-apiserver { # grows at 10MiB/s (~30K QPS), it will rotate after ~6 years if apiserver # never restarts. Please manually restart apiserver before this time. params+=" --audit-log-maxsize=2000000000" + + # Batching parameters + if [[ -n "${ADVANCED_AUDIT_LOG_MODE:-}" ]]; then + params+=" --audit-log-mode=${ADVANCED_AUDIT_LOG_MODE}" + fi + if [[ -n "${ADVANCED_AUDIT_LOG_BUFFER_SIZE:-}" ]]; then + params+=" --audit-log-batch-buffer-size=${ADVANCED_AUDIT_LOG_BUFFER_SIZE}" + fi + if [[ -n "${ADVANCED_AUDIT_LOG_MAX_BATCH_SIZE:-}" ]]; then + params+=" --audit-log-batch-max-size=${ADVANCED_AUDIT_LOG_MAX_BATCH_SIZE}" + fi + if [[ -n "${ADVANCED_AUDIT_LOG_MAX_BATCH_WAIT:-}" ]]; then + params+=" --audit-log-batch-max-wait=${ADVANCED_AUDIT_LOG_MAX_BATCH_WAIT}" + fi + if [[ -n "${ADVANCED_AUDIT_LOG_THROTTLE_QPS:-}" ]]; then + params+=" --audit-log-batch-throttle-qps=${ADVANCED_AUDIT_LOG_THROTTLE_QPS}" + fi + if [[ -n "${ADVANCED_AUDIT_LOG_THROTTLE_BURST:-}" ]]; then + params+=" --audit-log-batch-throttle-burst=${ADVANCED_AUDIT_LOG_THROTTLE_BURST}" + fi + if [[ -n "${ADVANCED_AUDIT_LOG_INITIAL_BACKOFF:-}" ]]; then + params+=" --audit-log-initial-backoff=${ADVANCED_AUDIT_LOG_INITIAL_BACKOFF}" + fi fi if [[ "${ADVANCED_AUDIT_BACKEND:-}" == *"webhook"* ]]; then params+=" --audit-webhook-mode=batch" @@ -1522,6 +1545,14 @@ function start-kube-apiserver { # Create the audit webhook config file, and mount it into the apiserver pod. local -r audit_webhook_config_file="/etc/audit_webhook.config" params+=" --audit-webhook-config-file=${audit_webhook_config_file}" + create-master-audit-webhook-config "${audit_webhook_config_file}" + audit_webhook_config_mount="{\"name\": \"auditwebhookconfigmount\",\"mountPath\": \"${audit_webhook_config_file}\", \"readOnly\": true}," + audit_webhook_config_volume="{\"name\": \"auditwebhookconfigmount\",\"hostPath\": {\"path\": \"${audit_webhook_config_file}\", \"type\": \"FileOrCreate\"}}," + + # Batching parameters + if [[ -n "${ADVANCED_AUDIT_WEBHOOK_MODE:-}" ]]; then + params+=" --audit-webhook-mode=${ADVANCED_AUDIT_WEBHOOK_MODE}" + fi if [[ -n "${ADVANCED_AUDIT_WEBHOOK_BUFFER_SIZE:-}" ]]; then params+=" --audit-webhook-batch-buffer-size=${ADVANCED_AUDIT_WEBHOOK_BUFFER_SIZE}" fi @@ -1540,9 +1571,6 @@ function start-kube-apiserver { if [[ -n "${ADVANCED_AUDIT_WEBHOOK_INITIAL_BACKOFF:-}" ]]; then params+=" --audit-webhook-initial-backoff=${ADVANCED_AUDIT_WEBHOOK_INITIAL_BACKOFF}" fi - create-master-audit-webhook-config "${audit_webhook_config_file}" - audit_webhook_config_mount="{\"name\": \"auditwebhookconfigmount\",\"mountPath\": \"${audit_webhook_config_file}\", \"readOnly\": true}," - audit_webhook_config_volume="{\"name\": \"auditwebhookconfigmount\",\"hostPath\": {\"path\": \"${audit_webhook_config_file}\", \"type\": \"FileOrCreate\"}}," fi fi diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index 0b71822683..21b7a23690 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -716,6 +716,14 @@ ENABLE_CACHE_MUTATION_DETECTOR: $(yaml-quote ${ENABLE_CACHE_MUTATION_DETECTOR:-f ENABLE_PATCH_CONVERSION_DETECTOR: $(yaml-quote ${ENABLE_PATCH_CONVERSION_DETECTOR:-false}) ADVANCED_AUDIT_POLICY: $(yaml-quote ${ADVANCED_AUDIT_POLICY:-}) ADVANCED_AUDIT_BACKEND: $(yaml-quote ${ADVANCED_AUDIT_BACKEND:-log}) +ADVANCED_AUDIT_LOG_MODE: $(yaml-quote ${ADVANCED_AUDIT_LOG_MODE:-}) +ADVANCED_AUDIT_LOG_BUFFER_SIZE: $(yaml-quote ${ADVANCED_AUDIT_LOG_BUFFER_SIZE:-}) +ADVANCED_AUDIT_LOG_MAX_BATCH_SIZE: $(yaml-quote ${ADVANCED_AUDIT_LOG_MAX_BATCH_SIZE:-}) +ADVANCED_AUDIT_LOG_MAX_BATCH_WAIT: $(yaml-quote ${ADVANCED_AUDIT_LOG_MAX_BATCH_WAIT:-}) +ADVANCED_AUDIT_LOG_THROTTLE_QPS: $(yaml-quote ${ADVANCED_AUDIT_LOG_THROTTLE_QPS:-}) +ADVANCED_AUDIT_LOG_THROTTLE_BURST: $(yaml-quote ${ADVANCED_AUDIT_LOG_THROTTLE_BURST:-}) +ADVANCED_AUDIT_LOG_INITIAL_BACKOFF: $(yaml-quote ${ADVANCED_AUDIT_LOG_INITIAL_BACKOFF:-}) +ADVANCED_AUDIT_WEBHOOK_MODE: $(yaml-quote ${ADVANCED_AUDIT_WEBHOOK_MODE:-}) ADVANCED_AUDIT_WEBHOOK_BUFFER_SIZE: $(yaml-quote ${ADVANCED_AUDIT_WEBHOOK_BUFFER_SIZE:-}) ADVANCED_AUDIT_WEBHOOK_MAX_BATCH_SIZE: $(yaml-quote ${ADVANCED_AUDIT_WEBHOOK_MAX_BATCH_SIZE:-}) ADVANCED_AUDIT_WEBHOOK_MAX_BATCH_WAIT: $(yaml-quote ${ADVANCED_AUDIT_WEBHOOK_MAX_BATCH_WAIT:-})