github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 14:07:14 +00:00
Code Issues Projects Releases Wiki Activity

[fluentd-gcp addon] By default ingest audit logs in JSON format

Browse Source
This commit is contained in:
Mik Vyatskov 2017-09-15 15:33:54 +02:00
parent 87a1b5f6d7
commit 42be772234
2 changed files with 4 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
cluster/addons/fluentd-gcp/fluentd-gcp-configmap.yaml
View File

@ -170,23 +170,10 @@ data:
tag kube-apiserver tag kube-apiserver
</source> </source>
# Example: # Audit logs in JSON format.
# 2017-02-09T00:15:57.992775796Z AUDIT: id="90c73c7c-97d6-4b65-9461-f94606ff825f" ip="104.132.1.72" method="GET" user="kubecfg" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/pods"
# 2017-02-09T00:15:57.993528822Z AUDIT: id="90c73c7c-97d6-4b65-9461-f94606ff825f" response="200"
<source> <source>
type tail type tail
format multiline format json
multiline_flush_interval 5s
format_firstline /^\S+\s+AUDIT:/
# Fields must be explicitly captured by name to be parsed into the record.
# Fields may not always be present, and order may change, so this just looks
# for a list of key="\"quoted\" value" pairs separated by spaces.
# Unknown fields are ignored.
# Note: We can't separate query/response lines as format1/format2 because
# they don't always come one after the other for a given query.
# TODO: Maybe add a JSON output mode to audit log so we can get rid of this?
format1 /^(?<time>\S+) AUDIT:(?: (?:id="(?<id>(?:[^"\\]|\\.)*)"|ip="(?<ip>(?:[^"\\]|\\.)*)"|method="(?<method>(?:[^"\\]|\\.)*)"|user="(?<user>(?:[^"\\]|\\.)*)"|groups="(?<groups>(?:[^"\\]|\\.)*)"|as="(?<as>(?:[^"\\]|\\.)*)"|asgroups="(?<asgroups>(?:[^"\\]|\\.)*)"|namespace="(?<namespace>(?:[^"\\]|\\.)*)"|uri="(?<uri>(?:[^"\\]|\\.)*)"|response="(?<response>(?:[^"\\]|\\.)*)"|\w+="(?:[^"\\]|\\.)*"))*/
time_format %FT%T.%L%Z
path /var/log/kube-apiserver-audit.log path /var/log/kube-apiserver-audit.log
pos_file /var/log/gcp-kube-apiserver-audit.log.pos pos_file /var/log/gcp-kube-apiserver-audit.log.pos
tag kube-apiserver-audit tag kube-apiserver-audit
@ -408,7 +395,7 @@ data:
num_threads 2 num_threads 2
</match> </match>
metadata: metadata:
name: fluentd-gcp-config-v1.2.0 name: fluentd-gcp-config-v1.2.1
namespace: kube-system namespace: kube-system
labels: labels:
addonmanager.kubernetes.io/mode: Reconcile addonmanager.kubernetes.io/mode: Reconcile

2
cluster/addons/fluentd-gcp/fluentd-gcp-ds.yaml
View File

@ -117,7 +117,7 @@ spec:
path: /usr/lib64 path: /usr/lib64
- name: config-volume - name: config-volume
configMap: configMap:
name: fluentd-gcp-config-v1.2.0 name: fluentd-gcp-config-v1.2.1
- name: ssl-certs - name: ssl-certs
hostPath: hostPath:
path: /etc/ssl/certs path: /etc/ssl/certs