Also support a mix of dynamic + static log

Useful when you want to show both dynamic audit sinks as well as logging
to a file.

examples/k8s_audit_config/README.md

@@ -104,3 +104,18 @@ FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.c
 ### Observe K8s audit events at falco
 
 K8s audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
+
+## K8s 1.13 + Local Log File Instructions
+
+If you want to use a mix of AuditSink for remote audit events as well as a local audit log file, you can run enable-k8s-audit.sh with the "dynamic-log" argument e.g. `bash ./enable-k8s-audit.sh <variant> dynamic+log`. This will enable dynamic audit logs as well as a static audit log to a local file. Its output looks like this:
+
+```
+***Copying apiserver config patch script to apiserver...
+apiserver-config.patch.sh                                                                          100% 2211   662.9KB/s   00:00
+***Copying audit policy file to apiserver...
+audit-policy.yaml                                                                                  100% 2519   847.7KB/s   00:00
+***Modifying k8s apiserver config (will result in apiserver restarting)...
+***Done!
+```
+
+The audit log will be available on the apiserver host at `/var/lib/k8s_audit/audit.log`.

examples/k8s_audit_config/apiserver-config.patch.sh

@@ -1,5 +1,7 @@
 #!/bin/sh
 
+set -euo pipefail
+
 IFS=''
 
 FILENAME=${1:-/etc/kubernetes/manifests/kube-apiserver.yaml}
@@ -34,25 +36,28 @@ do
     echo "$LINE" >> "$TMPFILE"
     case "$LINE" in
         *$APISERVER_LINE*)
-	    if [ $AUDIT_TYPE == "static" ]; then
+	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
 		echo "$APISERVER_PREFIX --audit-log-path=/var/lib/k8s_audit/audit.log" >> "$TMPFILE"
 		echo "$APISERVER_PREFIX --audit-policy-file=/var/lib/k8s_audit/audit-policy.yaml" >> "$TMPFILE"
-		echo "$APISERVER_PREFIX --audit-webhook-config-file=/var/lib/k8s_audit/webhook-config.yaml" >> "$TMPFILE"
-		echo "$APISERVER_PREFIX --audit-webhook-batch-max-wait=5s" >> "$TMPFILE"
-	    else
+		if [[ $AUDIT_TYPE == "static" ]]; then
+		    echo "$APISERVER_PREFIX --audit-webhook-config-file=/var/lib/k8s_audit/webhook-config.yaml" >> "$TMPFILE"
+		    echo "$APISERVER_PREFIX --audit-webhook-batch-max-wait=5s" >> "$TMPFILE"
+		fi
+	    fi
+	    if [[ ($AUDIT_TYPE == "dynamic" || $AUDIT_TYPE == "dynamic+log") ]]; then
 		echo "$APISERVER_PREFIX --audit-dynamic-configuration" >> "$TMPFILE"
 		echo "$APISERVER_PREFIX --feature-gates=DynamicAuditing=true" >> "$TMPFILE"
 		echo "$APISERVER_PREFIX --runtime-config=auditregistration.k8s.io/v1alpha1=true" >> "$TMPFILE"
 	    fi
             ;;
         *"volumeMounts:"*)
-	    if [ $AUDIT_TYPE == "static" ]; then
+	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
 		echo "    - mountPath: /var/lib/k8s_audit/" >> "$TMPFILE"
 		echo "      name: data" >> "$TMPFILE"
 	    fi
             ;;
         *"volumes:"*)
-	    if [ $AUDIT_TYPE == "static" ]; then
+	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
 		echo "  - hostPath:" >> "$TMPFILE"
 		echo "      path: /var/lib/k8s_audit" >> "$TMPFILE"
 		echo "    name: data" >> "$TMPFILE"

examples/k8s_audit_config/enable-k8s-audit.sh

@@ -34,6 +34,11 @@ if [ $AUDIT_TYPE == "static" ]; then
     scp -i $SSH_KEY webhook-config.yaml $SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit
 fi
 
+if [ $AUDIT_TYPE == "dynamic+log" ]; then
+    echo "***Copying audit policy file to apiserver..."
+    scp -i $SSH_KEY audit-policy.yaml $SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit
+fi
+
 echo "***Modifying k8s apiserver config (will result in apiserver restarting)..."
 
 ssh -i $SSH_KEY $SSH_USER@$APISERVER_HOST "sudo bash /var/lib/k8s_audit/apiserver-config.patch.sh $MANIFEST $VARIANT $AUDIT_TYPE"