diff --git a/examples/k8s_audit_config/README.md b/examples/k8s_audit_config/README.md index 58156491..1523acaa 100644 --- a/examples/k8s_audit_config/README.md +++ b/examples/k8s_audit_config/README.md @@ -104,3 +104,18 @@ FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.c ### Observe K8s audit events at falco K8s audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`. + +## K8s 1.13 + Local Log File Instructions + +If you want to use a mix of AuditSink for remote audit events as well as a local audit log file, you can run enable-k8s-audit.sh with the "dynamic-log" argument e.g. `bash ./enable-k8s-audit.sh dynamic+log`. This will enable dynamic audit logs as well as a static audit log to a local file. Its output looks like this: + +``` +***Copying apiserver config patch script to apiserver... +apiserver-config.patch.sh 100% 2211 662.9KB/s 00:00 +***Copying audit policy file to apiserver... +audit-policy.yaml 100% 2519 847.7KB/s 00:00 +***Modifying k8s apiserver config (will result in apiserver restarting)... +***Done! +``` + +The audit log will be available on the apiserver host at `/var/lib/k8s_audit/audit.log`. diff --git a/examples/k8s_audit_config/apiserver-config.patch.sh b/examples/k8s_audit_config/apiserver-config.patch.sh index 82ad7500..e853c977 100644 --- a/examples/k8s_audit_config/apiserver-config.patch.sh +++ b/examples/k8s_audit_config/apiserver-config.patch.sh @@ -1,5 +1,7 @@ #!/bin/sh +set -euo pipefail + IFS='' FILENAME=${1:-/etc/kubernetes/manifests/kube-apiserver.yaml} @@ -34,25 +36,28 @@ do echo "$LINE" >> "$TMPFILE" case "$LINE" in *$APISERVER_LINE*) - if [ $AUDIT_TYPE == "static" ]; then + if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then echo "$APISERVER_PREFIX --audit-log-path=/var/lib/k8s_audit/audit.log" >> "$TMPFILE" echo "$APISERVER_PREFIX --audit-policy-file=/var/lib/k8s_audit/audit-policy.yaml" >> "$TMPFILE" - echo "$APISERVER_PREFIX --audit-webhook-config-file=/var/lib/k8s_audit/webhook-config.yaml" >> "$TMPFILE" - echo "$APISERVER_PREFIX --audit-webhook-batch-max-wait=5s" >> "$TMPFILE" - else + if [[ $AUDIT_TYPE == "static" ]]; then + echo "$APISERVER_PREFIX --audit-webhook-config-file=/var/lib/k8s_audit/webhook-config.yaml" >> "$TMPFILE" + echo "$APISERVER_PREFIX --audit-webhook-batch-max-wait=5s" >> "$TMPFILE" + fi + fi + if [[ ($AUDIT_TYPE == "dynamic" || $AUDIT_TYPE == "dynamic+log") ]]; then echo "$APISERVER_PREFIX --audit-dynamic-configuration" >> "$TMPFILE" echo "$APISERVER_PREFIX --feature-gates=DynamicAuditing=true" >> "$TMPFILE" echo "$APISERVER_PREFIX --runtime-config=auditregistration.k8s.io/v1alpha1=true" >> "$TMPFILE" fi ;; *"volumeMounts:"*) - if [ $AUDIT_TYPE == "static" ]; then + if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then echo " - mountPath: /var/lib/k8s_audit/" >> "$TMPFILE" echo " name: data" >> "$TMPFILE" fi ;; *"volumes:"*) - if [ $AUDIT_TYPE == "static" ]; then + if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then echo " - hostPath:" >> "$TMPFILE" echo " path: /var/lib/k8s_audit" >> "$TMPFILE" echo " name: data" >> "$TMPFILE" diff --git a/examples/k8s_audit_config/enable-k8s-audit.sh b/examples/k8s_audit_config/enable-k8s-audit.sh index 73b920c8..8e9f3b85 100644 --- a/examples/k8s_audit_config/enable-k8s-audit.sh +++ b/examples/k8s_audit_config/enable-k8s-audit.sh @@ -34,6 +34,11 @@ if [ $AUDIT_TYPE == "static" ]; then scp -i $SSH_KEY webhook-config.yaml $SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit fi +if [ $AUDIT_TYPE == "dynamic+log" ]; then + echo "***Copying audit policy file to apiserver..." + scp -i $SSH_KEY audit-policy.yaml $SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit +fi + echo "***Modifying k8s apiserver config (will result in apiserver restarting)..." ssh -i $SSH_KEY $SSH_USER@$APISERVER_HOST "sudo bash /var/lib/k8s_audit/apiserver-config.patch.sh $MANIFEST $VARIANT $AUDIT_TYPE"