diff --git a/cmd/kube-apiserver/app/options/options.go b/cmd/kube-apiserver/app/options/options.go index 66072c25fe5..03c09a663e2 100644 --- a/cmd/kube-apiserver/app/options/options.go +++ b/cmd/kube-apiserver/app/options/options.go @@ -44,6 +44,7 @@ type ServerRunOptions struct { Etcd *genericoptions.EtcdOptions SecureServing *genericoptions.SecureServingOptions InsecureServing *genericoptions.ServingOptions + Audit *genericoptions.AuditLogOptions Authentication *kubeoptions.BuiltInAuthenticationOptions Authorization *kubeoptions.BuiltInAuthorizationOptions CloudProvider *kubeoptions.CloudProviderOptions @@ -68,6 +69,7 @@ func NewServerRunOptions() *ServerRunOptions { Etcd: genericoptions.NewEtcdOptions(api.Scheme), SecureServing: genericoptions.NewSecureServingOptions(), InsecureServing: genericoptions.NewInsecureServingOptions(), + Audit: genericoptions.NewAuditLogOptions(), Authentication: kubeoptions.NewBuiltInAuthenticationOptions().WithAll(), Authorization: kubeoptions.NewBuiltInAuthorizationOptions(), CloudProvider: kubeoptions.NewCloudProviderOptions(), @@ -103,6 +105,7 @@ func (s *ServerRunOptions) AddFlags(fs *pflag.FlagSet) { s.SecureServing.AddDeprecatedFlags(fs) s.InsecureServing.AddFlags(fs) s.InsecureServing.AddDeprecatedFlags(fs) + s.Audit.AddFlags(fs) s.Authentication.AddFlags(fs) s.Authorization.AddFlags(fs) s.CloudProvider.AddFlags(fs) diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index d58ab2ef7bb..4e84717d726 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -120,6 +120,9 @@ func Run(s *options.ServerRunOptions) error { if err := s.Authentication.ApplyTo(genericConfig); err != nil { return err } + if err := s.Audit.ApplyTo(genericConfig); err != nil { + return err + } capabilities.Initialize(capabilities.Capabilities{ AllowPrivileged: s.AllowPrivileged, diff --git a/federation/cmd/federation-apiserver/app/options/options.go b/federation/cmd/federation-apiserver/app/options/options.go index bb6139cf7d9..1b172d53886 100644 --- a/federation/cmd/federation-apiserver/app/options/options.go +++ b/federation/cmd/federation-apiserver/app/options/options.go @@ -36,6 +36,7 @@ type ServerRunOptions struct { Etcd *genericoptions.EtcdOptions SecureServing *genericoptions.SecureServingOptions InsecureServing *genericoptions.ServingOptions + Audit *genericoptions.AuditLogOptions Authentication *kubeoptions.BuiltInAuthenticationOptions Authorization *kubeoptions.BuiltInAuthorizationOptions CloudProvider *kubeoptions.CloudProviderOptions @@ -51,6 +52,7 @@ func NewServerRunOptions() *ServerRunOptions { Etcd: genericoptions.NewEtcdOptions(api.Scheme), SecureServing: genericoptions.NewSecureServingOptions(), InsecureServing: genericoptions.NewInsecureServingOptions(), + Audit: genericoptions.NewAuditLogOptions(), Authentication: kubeoptions.NewBuiltInAuthenticationOptions().WithAll(), Authorization: kubeoptions.NewBuiltInAuthorizationOptions(), CloudProvider: kubeoptions.NewCloudProviderOptions(), @@ -70,6 +72,7 @@ func (s *ServerRunOptions) AddFlags(fs *pflag.FlagSet) { s.Etcd.AddFlags(fs) s.SecureServing.AddFlags(fs) s.InsecureServing.AddFlags(fs) + s.Audit.AddFlags(fs) s.Authentication.AddFlags(fs) s.Authorization.AddFlags(fs) s.CloudProvider.AddFlags(fs) diff --git a/federation/cmd/federation-apiserver/app/server.go b/federation/cmd/federation-apiserver/app/server.go index f55b4485c79..78d41c6ef97 100644 --- a/federation/cmd/federation-apiserver/app/server.go +++ b/federation/cmd/federation-apiserver/app/server.go @@ -103,6 +103,9 @@ func Run(s *options.ServerRunOptions) error { if err := s.Authentication.ApplyTo(genericConfig); err != nil { return err } + if err := s.Audit.ApplyTo(genericConfig); err != nil { + return err + } // TODO: register cluster federation resources here. resourceConfig := genericapiserver.NewResourceConfig() diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/audit.go b/staging/src/k8s.io/apiserver/pkg/server/options/audit.go new file mode 100644 index 00000000000..2bb7f2cf769 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/server/options/audit.go @@ -0,0 +1,60 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package options + +import ( + "github.com/spf13/pflag" + "gopkg.in/natefinch/lumberjack.v2" + + "k8s.io/apiserver/pkg/server" +) + +type AuditLogOptions struct { + Path string + MaxAge int + MaxBackups int + MaxSize int +} + +func NewAuditLogOptions() *AuditLogOptions { + return &AuditLogOptions{} +} + +func (o *AuditLogOptions) AddFlags(fs *pflag.FlagSet) { + fs.StringVar(&o.Path, "audit-log-path", o.Path, + "If set, all requests coming to the apiserver will be logged to this file.") + fs.IntVar(&o.MaxAge, "audit-log-maxage", o.MaxBackups, + "The maximum number of days to retain old audit log files based on the timestamp encoded in their filename.") + fs.IntVar(&o.MaxBackups, "audit-log-maxbackup", o.MaxBackups, + "The maximum number of old audit log files to retain.") + fs.IntVar(&o.MaxSize, "audit-log-maxsize", o.MaxSize, + "The maximum size in megabytes of the audit log file before it gets rotated. Defaults to 100MB.") +} + +func (o *AuditLogOptions) ApplyTo(c *server.Config) error { + if len(o.Path) == 0 { + return nil + } + + c.AuditWriter = &lumberjack.Logger{ + Filename: o.Path, + MaxAge: o.MaxAge, + MaxBackups: o.MaxBackups, + MaxSize: o.MaxSize, + } + return nil +} diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go b/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go index d713450182b..1a9c8d9adc1 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go @@ -30,6 +30,7 @@ type RecommendedOptions struct { SecureServing *SecureServingOptions Authentication *DelegatingAuthenticationOptions Authorization *DelegatingAuthorizationOptions + Audit *AuditLogOptions } func NewRecommendedOptions(scheme *runtime.Scheme) *RecommendedOptions { @@ -38,6 +39,7 @@ func NewRecommendedOptions(scheme *runtime.Scheme) *RecommendedOptions { SecureServing: NewSecureServingOptions(), Authentication: NewDelegatingAuthenticationOptions(), Authorization: NewDelegatingAuthorizationOptions(), + Audit: NewAuditLogOptions(), } } @@ -46,6 +48,7 @@ func (o *RecommendedOptions) AddFlags(fs *pflag.FlagSet) { o.SecureServing.AddFlags(fs) o.Authentication.AddFlags(fs) o.Authorization.AddFlags(fs) + o.Audit.AddFlags(fs) } func (o *RecommendedOptions) ApplyTo(config *server.Config) error { @@ -58,6 +61,9 @@ func (o *RecommendedOptions) ApplyTo(config *server.Config) error { if err := o.Authorization.ApplyTo(config); err != nil { return err } + if err := o.Audit.ApplyTo(config); err != nil { + return err + } return nil } diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/server_run_options.go b/staging/src/k8s.io/apiserver/pkg/server/options/server_run_options.go index 3e39d649382..ef2a0db434c 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/server_run_options.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/server_run_options.go @@ -31,7 +31,6 @@ import ( _ "k8s.io/apiserver/pkg/features" "github.com/spf13/pflag" - "gopkg.in/natefinch/lumberjack.v2" ) // ServerRunOptions contains the options while running a generic api server. @@ -45,10 +44,6 @@ type ServerRunOptions struct { // to set it to "application/vnd.kubernetes.protobuf". DefaultStorageMediaType string DeleteCollectionWorkers int - AuditLogPath string - AuditLogMaxAge int - AuditLogMaxBackups int - AuditLogMaxSize int EnableGarbageCollection bool EnableProfiling bool EnableContentionProfiling bool @@ -83,15 +78,6 @@ func NewServerRunOptions() *ServerRunOptions { // ApplyOptions applies the run options to the method receiver and returns self func (s *ServerRunOptions) ApplyTo(c *server.Config) error { - if len(s.AuditLogPath) != 0 { - c.AuditWriter = &lumberjack.Logger{ - Filename: s.AuditLogPath, - MaxAge: s.AuditLogMaxAge, - MaxBackups: s.AuditLogMaxBackups, - MaxSize: s.AuditLogMaxSize, - } - } - c.CorsAllowedOriginList = s.CorsAllowedOriginList c.EnableGarbageCollection = s.EnableGarbageCollection c.EnableProfiling = s.EnableProfiling @@ -163,15 +149,6 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) { fs.IntVar(&s.DeleteCollectionWorkers, "delete-collection-workers", s.DeleteCollectionWorkers, "Number of workers spawned for DeleteCollection call. These are used to speed up namespace cleanup.") - fs.StringVar(&s.AuditLogPath, "audit-log-path", s.AuditLogPath, - "If set, all requests coming to the apiserver will be logged to this file.") - fs.IntVar(&s.AuditLogMaxAge, "audit-log-maxage", s.AuditLogMaxBackups, - "The maximum number of days to retain old audit log files based on the timestamp encoded in their filename.") - fs.IntVar(&s.AuditLogMaxBackups, "audit-log-maxbackup", s.AuditLogMaxBackups, - "The maximum number of old audit log files to retain.") - fs.IntVar(&s.AuditLogMaxSize, "audit-log-maxsize", s.AuditLogMaxSize, - "The maximum size in megabytes of the audit log file before it gets rotated. Defaults to 100MB.") - fs.BoolVar(&s.EnableGarbageCollection, "enable-garbage-collector", s.EnableGarbageCollection, ""+ "Enables the generic garbage collector. MUST be synced with the corresponding flag "+ "of the kube-controller-manager.") diff --git a/vendor/BUILD b/vendor/BUILD index 423594fc350..83559d317c3 100644 --- a/vendor/BUILD +++ b/vendor/BUILD @@ -14089,6 +14089,7 @@ go_library( go_library( name = "k8s.io/apiserver/pkg/server/options", srcs = [ + "k8s.io/apiserver/pkg/server/options/audit.go", "k8s.io/apiserver/pkg/server/options/authentication.go", "k8s.io/apiserver/pkg/server/options/authorization.go", "k8s.io/apiserver/pkg/server/options/doc.go",