github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-21 19:44:57 +00:00
Code Issues Projects Releases Wiki Activity
Files
a53e22d2d5d73440e1cd171e152a490e34532423
falco/examples/k8s_audit_config/apiserver-config.patch.sh

73 lines
2.2 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
IFS=''
FILENAME=${1:-/etc/kubernetes/manifests/kube-apiserver.yaml}
VARIANT=${2:-minikube}
AUDIT_TYPE=${3:-static}
if [ "$AUDIT_TYPE" == "static" ]; then
if grep audit-webhook-config-file "$FILENAME" ; then
echo audit-webhook patch already applied
exit 0
fi
else
if grep audit-dynamic-configuration "$FILENAME" ; then
echo audit-dynamic-configuration patch already applied
exit 0
fi
fi
TMPFILE="/tmp/kube-apiserver.yaml.patched"
rm -f "$TMPFILE"
APISERVER_PREFIX=" -"
APISERVER_LINE="- kube-apiserver"
if [ "$VARIANT" == "kops" ]; then
APISERVER_PREFIX=" "
APISERVER_LINE="/usr/local/bin/kube-apiserver"
fi
while read -r LINE
do
echo "$LINE" >> "$TMPFILE"
case "$LINE" in
*$APISERVER_LINE*)
if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
echo "$APISERVER_PREFIX --audit-log-path=/var/lib/k8s_audit/audit.log" >> "$TMPFILE"
echo "$APISERVER_PREFIX --audit-policy-file=/var/lib/k8s_audit/audit-policy.yaml" >> "$TMPFILE"
if [[ $AUDIT_TYPE == "static" ]]; then
echo "$APISERVER_PREFIX --audit-webhook-config-file=/var/lib/k8s_audit/webhook-config.yaml" >> "$TMPFILE"
echo "$APISERVER_PREFIX --audit-webhook-batch-max-wait=5s" >> "$TMPFILE"
fi
fi
if [[ ($AUDIT_TYPE == "dynamic" || $AUDIT_TYPE == "dynamic+log") ]]; then
echo "$APISERVER_PREFIX --audit-dynamic-configuration" >> "$TMPFILE"
echo "$APISERVER_PREFIX --feature-gates=DynamicAuditing=true" >> "$TMPFILE"
echo "$APISERVER_PREFIX --runtime-config=auditregistration.k8s.io/v1alpha1=true" >> "$TMPFILE"
fi
;;
*"volumeMounts:"*)
if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
echo " - mountPath: /var/lib/k8s_audit/" >> "$TMPFILE"
echo " name: data" >> "$TMPFILE"
fi
;;
*"volumes:"*)
if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
echo " - hostPath:" >> "$TMPFILE"
echo " path: /var/lib/k8s_audit" >> "$TMPFILE"
echo " name: data" >> "$TMPFILE"
fi
;;
esac
done < "$FILENAME"
cp "$FILENAME" "/tmp/kube-apiserver.yaml.original"
cp "$TMPFILE" "$FILENAME"
Reference in New Issue View Git Blame Copy Permalink