/etc/kubernetes/logpolicy/sample-policy.yaml 提供了基本策略。它仅指定不记录的内容。
注意:基本策略位于 cluster 的 master 节点上。
编辑和扩展基本策略以记录:
RequestResponse 级别的 persistentvolumes 更改
namespace front-apps 中 configmaps 更改的请求体
Metadata 级别的所有 namespace 中的 ConfigMap 和 Secret 的更改
此外,添加一个全方位的规则以在 Metadata 级别记录所有其他请求。
注意:不要忘记应用修改后的策略。
kube-apiserver.yaml选项解释:
- -audit-policy-file 指定审计策略文件
- -audit-log-path 指定用来写入审计事件的日志文件路径。不指定此标志会禁用日志后端。
- -audit-log-maxage 定义保留旧审计日志文件的最大天数
- -audit-log-maxbackup 定义要保留的审计日志文件的最大数量
- -audit-log-maxsize 定义审计日志文件轮转之前的最大大小(兆字节)
更多见参考
## 环境搭建
**命令**
mkdir -p /etc/kubernetes/logpolicy/
vim /etc/kubernetes/logpolicy/sample-policy.yaml
内容
apiVersion: audit.k8s.io/v1
kind: Policy
Don’t generate audit events for all requests in RequestReceived stage.
omitStages:
- “RequestReceived”
rules:
Don’t log watch requests by the “system:kube-proxy” on endpoints or services
- level: None
users: [“system:kube-proxy”]
verbs: [“watch”]
resources:- group: “” # core API group
resources: [“endpoints”, “services”]
- group: “” # core API group
Don’t log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: [“system:authenticated”]
nonResourceURLs:- “/api*” # Wildcard matching.
- “/version”
Please do not delete the above rule content, you can continue add it below.
## 解题
**命令**
vim /etc/kubernetes/logpolicy/sample-policy.yaml
内容
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
Don’t generate audit events for all requests in RequestReceived stage.
omitStages:
- “RequestReceived”
rules:
Don’t log watch requests by the “system:kube-proxy” on endpoints or services
- level: None
users: [“system:kube-proxy”]
verbs: [“watch”]
resources:- group: “” # core API group
resources: [“endpoints”, “services”]
- group: “” # core API group
Don’t log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: [“system:authenticated”]
nonResourceURLs:- “/api*” # Wildcard matching.
- “/version”
Please do not delete the above rule content, you can continue add it below.
Log pod changes at RequestResponse level
- level: RequestResponse
resources:- group: “”
resources: [“persistentvolumes”]
- group: “”
Log “pods/log”, “pods/status” at Metadata level
- level: Metadata
resources:- group: “”
resources: [“secrets”, “configmaps”]
- group: “”
Log the request body of configmap changes in kube-system.
- level: Request
resources:- group: “” # core API group
resources: [“configmaps”]
namespaces: [“front-apps”]
- group: “” # core API group
A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
Long-running requests like watches that fall under this rule will not
generate an audit event in RequestReceived.
omitStages:- “RequestReceived”
**截图**
修改kube-apiserverl.yaml配置文件
**命令**
vim /etc/kubernetes/manifests/kube-apiserver.yaml
添加以下四个启动项
- –audit-log-path=/var/log/kubernetes/audit-logs.txt
- –audit-policy-file=/etc/kubernetes/logpolicy/sample-policy.yaml
- –audit-log-maxage=10
- –audit-log-maxbackup=2
**截图**
**截图**
## 最后
**自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。**
**深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!**
**因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。**
**既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点!真正的体系化!**
[**如果你觉得这些内容对你有帮助,需要这份全套学习资料的朋友可以戳我获取!!**](https://bbs.csdn.net/topics/618653875)
**由于文件比较大,这里只是将部分目录截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且会持续更新!**
涵盖了95%以上网络安全知识点!真正的体系化!**
[**如果你觉得这些内容对你有帮助,需要这份全套学习资料的朋友可以戳我获取!!**](https://bbs.csdn.net/topics/618653875)
**由于文件比较大,这里只是将部分目录截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且会持续更新!**
666
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
