Merge pull request #60107 from wangzhen127/cos-audit-placeholder

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Update GCP fluentd configmap for COS audit logging on GKE node **What this PR does / why we need it**: This PR adds a placeholder in fluentd configmap for COS audit logging on GKE node. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: NONE **Release note**: ```release-note NONE ```
2025-07-29 22:46:12 +00:00 · 2018-03-25 00:51:52 -07:00 · 2018-03-25 00:51:52 -07:00 · 053a12aee9
commit 053a12aee9
parent eb0a21a7ad d5c2cdcbbb
5 changed files with 36 additions and 0 deletions
--- a/cluster/addons/fluentd-gcp/fluentd-gcp-configmap.yaml
+++ b/cluster/addons/fluentd-gcp/fluentd-gcp-configmap.yaml
@ -282,6 +282,25 @@ data:
      read_from_head true
      tag node-problem-detector
    </source>
+
+    # BEGIN_NODE_JOURNAL
+    # Whether to include node-journal or not is determined when starting the
+    # cluster. It is not changed when the cluster is already running.
+    <source>
+      @type systemd
+      pos_file /var/log/gcp-journald.pos
+      read_from_head true
+      tag node-journal
+    </source>
+
+    <filter node-journal>
+      @type grep
+      <exclude>
+        key _SYSTEMD_UNIT
+        pattern ^(docker|{{ container_runtime }}|kubelet|node-problem-detector)\.service$
+      </exclude>
+    </filter>
+    # END_NODE_JOURNAL
  monitoring.conf: |-
    # This source is used to acquire approximate process start timestamp,
    # which purpose is explained before the corresponding output plugin.
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@ -375,6 +375,9 @@ HEAPSTER_GCP_CPU_PER_NODE="${HEAPSTER_GCP_CPU_PER_NODE:-0.5}"
 # Adding to PROVIDER_VARS, since this is GCP-specific.
 PROVIDER_VARS="${PROVIDER_VARS:-} FLUENTD_GCP_VERSION FLUENTD_GCP_MEMORY_LIMIT FLUENTD_GCP_CPU_REQUEST FLUENTD_GCP_MEMORY_REQUEST HEAPSTER_GCP_BASE_MEMORY HEAPSTER_GCP_MEMORY_PER_NODE HEAPSTER_GCP_BASE_CPU HEAPSTER_GCP_CPU_PER_NODE CUSTOM_KUBE_DASHBOARD_BANNER"

+# Fluentd configuration for node-journal
+ENABLE_NODE_JOURNAL="${ENABLE_NODE_JOURNAL:-false}"
+
 # prometheus-to-sd configuration
 PROMETHEUS_TO_SD_ENDPOINT="${PROMETHEUS_TO_SD_ENDPOINT:-https://monitoring.googleapis.com/}"
 PROMETHEUS_TO_SD_PREFIX="${PROMETHEUS_TO_SD_PREFIX:-custom.googleapis.com}"
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@ -406,6 +406,9 @@ HEAPSTER_GCP_CPU_PER_NODE="${HEAPSTER_GCP_CPU_PER_NODE:-0.5}"
 # Adding to PROVIDER_VARS, since this is GCP-specific.
 PROVIDER_VARS="${PROVIDER_VARS:-} FLUENTD_GCP_VERSION FLUENTD_GCP_MEMORY_LIMIT FLUENTD_GCP_CPU_REQUEST FLUENTD_GCP_MEMORY_REQUEST HEAPSTER_GCP_BASE_MEMORY HEAPSTER_GCP_MEMORY_PER_NODE HEAPSTER_GCP_BASE_CPU HEAPSTER_GCP_CPU_PER_NODE CUSTOM_KUBE_DASHBOARD_BANNER"

+# Fluentd configuration for node-journal
+ENABLE_NODE_JOURNAL="${ENABLE_NODE_JOURNAL:-false}"
+
 # prometheus-to-sd configuration
 PROMETHEUS_TO_SD_ENDPOINT="${PROMETHEUS_TO_SD_ENDPOINT:-https://monitoring.googleapis.com/}"
 PROMETHEUS_TO_SD_PREFIX="${PROMETHEUS_TO_SD_PREFIX:-custom.googleapis.com}"
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -2008,6 +2008,15 @@ function update-container-runtime {
  sed -i -e "s@{{ *container_runtime *}}@${CONTAINER_RUNTIME_NAME:-docker}@g" "${configmap_yaml}"
 }

+# Remove configuration in yaml file if node journal is not enabled.
+function update-node-journal {
+  local -r configmap_yaml="$1"
+  if [[ "${ENABLE_NODE_JOURNAL:-}" != "true" ]]; then
+    # Removes all lines between two patterns (throws away node-journal)
+    sed -i -e "/# BEGIN_NODE_JOURNAL/,/# END_NODE_JOURNAL/d" "${configmap_yaml}"
+  fi
+}
+
 # Updates parameters in yaml file for prometheus-to-sd configuration, or
 # removes component if it is disabled.
 function update-prometheus-to-sd-parameters {
@ -2187,6 +2196,7 @@ EOF
    update-prometheus-to-sd-parameters ${fluentd_gcp_yaml}
    start-fluentd-resource-update ${fluentd_gcp_yaml}
    update-container-runtime ${fluentd_gcp_configmap_yaml}
+    update-node-journal ${fluentd_gcp_configmap_yaml}
  fi
  if [[ "${ENABLE_CLUSTER_UI:-}" == "true" ]]; then
    setup-addon-manifests "addons" "dashboard"
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@ -738,6 +738,7 @@ ADVANCED_AUDIT_WEBHOOK_THROTTLE_BURST: $(yaml-quote ${ADVANCED_AUDIT_WEBHOOK_THR
 ADVANCED_AUDIT_WEBHOOK_INITIAL_BACKOFF: $(yaml-quote ${ADVANCED_AUDIT_WEBHOOK_INITIAL_BACKOFF:-})
 GCE_API_ENDPOINT: $(yaml-quote ${GCE_API_ENDPOINT:-})
 GCE_GLBC_IMAGE: $(yaml-quote ${GCE_GLBC_IMAGE:-})
+ENABLE_NODE_JOURNAL: $(yaml-quote ${ENABLE_NODE_JOURNAL:-false})
 PROMETHEUS_TO_SD_ENDPOINT: $(yaml-quote ${PROMETHEUS_TO_SD_ENDPOINT:-})
 PROMETHEUS_TO_SD_PREFIX: $(yaml-quote ${PROMETHEUS_TO_SD_PREFIX:-})
 ENABLE_PROMETHEUS_TO_SD: $(yaml-quote ${ENABLE_PROMETHEUS_TO_SD:-false})