手动开启集群审计的方法。
1.准备审计策略文件
路径:/etc/kubernetes/audit-policy.yaml
注意:先检查集群是否支持audit.k8s.io/v1
apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
- "RequestReceived"
rules:
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: ""
resources: ["endpoints", "services"]
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- group: ""
resources: ["configmaps"]
- level: None
users: ["kubelet"]
verbs: ["get"]
resources:
- group: ""
resources: ["nodes"]
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- group: ""
resources: ["nodes"]
- level: None
users:
- system:kube-controller-manager
- system:kube-scheduler
- system:serviceaccount:kube-system:endpoint-controller
verbs: ["get", "update"]
namespaces: ["kube-system"]
resources:
- group: ""
resources: ["endpoints"]
- level: None
users: ["system:apiserver"]
verbs: ["get"]
resources:
- group: ""
resources: ["namespaces"]
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
- level: None
resources:
- group: ""
resources: ["events"]
- level: Metadata
resources:
- group: ""
resources: ["secrets", "configmaps"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
# Get repsonses can be large; skip them.
- level: Request
verbs: ["get", "list", "watch"]
# Default level
- level: RequestResponse
2.修改kube-api-server参数
路径:/etc/kubernetes/manifests/kube-apiserver.yaml
--audit-log-maxage=7 // 保留旧审计日志文件的最大天数 --audit-log-maxbackup=10 // 保留的旧的审计日志文件个数上限。 --audit-log-maxsize=100 // 轮换之前,审计日志文件的最大大小(以兆字节为单位) --audit-log-path=/etc/kubernetes/kubernetes.audit // 日志文件的记录地址 --audit-policy-file=/etc/kubernetes/audit-policy.yaml // 审计策略配置的文件的路径