github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-04 09:49:50 +00:00
Code Issues Projects Releases Wiki Activity

Enable audit log in local cluster

Browse Source
This commit is contained in:
xilabao 2017-03-02 09:18:37 +08:00
parent 83846e3a6a
commit 183fd62a52
1 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
hack/local-up-cluster.sh
View File

@ -66,6 +66,9 @@ FEATURE_GATES=${FEATURE_GATES:-"AllAlpha=true"}
# enable swagger ui # enable swagger ui
ENABLE_SWAGGER_UI=${ENABLE_SWAGGER_UI:-false} ENABLE_SWAGGER_UI=${ENABLE_SWAGGER_UI:-false}
# enable audit log
ENABLE_APISERVER_BASIC_AUDIT=${ENABLE_APISERVER_BASIC_AUDIT:-false}
# RBAC Mode options # RBAC Mode options
ALLOW_ANY_TOKEN=${ALLOW_ANY_TOKEN:-false} ALLOW_ANY_TOKEN=${ALLOW_ANY_TOKEN:-false}
ENABLE_RBAC=${ENABLE_RBAC:-false} ENABLE_RBAC=${ENABLE_RBAC:-false}
@ -377,6 +380,24 @@ function start_apiserver {
# This is the default dir and filename where the apiserver will generate a self-signed cert # This is the default dir and filename where the apiserver will generate a self-signed cert
# which should be able to be used as the CA to verify itself # which should be able to be used as the CA to verify itself
audit_arg=""
APISERVER_BASIC_AUDIT_LOG=""
if [[ "${ENABLE_APISERVER_BASIC_AUDIT:-}" = true ]]; then
# We currently only support enabling with a fixed path and with built-in log
# rotation "disabled" (large value) so it behaves like kube-apiserver.log.
# External log rotation should be set up the same as for kube-apiserver.log.
APISERVER_BASIC_AUDIT_LOG=/tmp/kube-apiserver-audit.log
audit_arg=" --audit-log-path=${APISERVER_BASIC_AUDIT_LOG}"
audit_arg+=" --audit-log-maxage=0"
audit_arg+=" --audit-log-maxbackup=0"
# Lumberjack doesn't offer any way to disable size-based rotation. It also
# has an in-memory counter that doesn't notice if you truncate the file.
# 2000000000 (in MiB) is a large number that fits in 31 bits. If the log
# grows at 10MiB/s (~30K QPS), it will rotate after ~6 years if apiserver
# never restarts. Please manually restart apiserver before this time.
audit_arg+=" --audit-log-maxsize=2000000000"
fi
swagger_arg="" swagger_arg=""
if [[ "${ENABLE_SWAGGER_UI}" = true ]]; then if [[ "${ENABLE_SWAGGER_UI}" = true ]]; then
swagger_arg="--enable-swagger-ui=true " swagger_arg="--enable-swagger-ui=true "
@ -432,7 +453,7 @@ function start_apiserver {
APISERVER_LOG=/tmp/kube-apiserver.log APISERVER_LOG=/tmp/kube-apiserver.log
${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${swagger_arg} ${anytoken_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\ ${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${swagger_arg} ${audit_arg} ${anytoken_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\
${advertise_address} \ ${advertise_address} \
--v=${LOG_LEVEL} \ --v=${LOG_LEVEL} \
--cert-dir="${CERT_DIR}" \ --cert-dir="${CERT_DIR}" \
@ -719,6 +740,10 @@ Logs:
EOF EOF
fi fi
if [[ "${ENABLE_APISERVER_BASIC_AUDIT:-}" = true ]]; then
echo " ${APISERVER_BASIC_AUDIT_LOG}"
fi
if [[ "${START_MODE}" == "all" ]]; then if [[ "${START_MODE}" == "all" ]]; then
echo " ${KUBELET_LOG}" echo " ${KUBELET_LOG}"
elif [[ "${START_MODE}" == "nokubelet" ]]; then elif [[ "${START_MODE}" == "nokubelet" ]]; then