From 259260566f295cd500a595cc706ad5a2d1b6442f Mon Sep 17 00:00:00 2001 From: Mik Vyatskov Date: Thu, 28 Sep 2017 21:55:32 +0200 Subject: [PATCH] Fix basic audit in GCE deploy scripts Signed-off-by: Mik Vyatskov --- cluster/gce/config-default.sh | 4 ++++ cluster/gce/config-test.sh | 4 ++++ cluster/gce/gci/configure-helper.sh | 6 ++++++ 3 files changed, 14 insertions(+) diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 39973f1d11d..07d6c0ed2b2 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -293,6 +293,10 @@ METADATA_CLOBBERS_CONFIG="${METADATA_CLOBBERS_CONFIG:-false}" ENABLE_BIG_CLUSTER_SUBNETS="${ENABLE_BIG_CLUSTER_SUBNETS:-false}" +if [[ "${ENABLE_APISERVER_BASIC_AUDIT:-}" == "true" ]]; then + echo "Warning: Basic audit logging is deprecated and will be removed. Please use advanced auditing instead." +fi + if [[ -n "${LOGROTATE_FILES_MAX_COUNT:-}" ]]; then PROVIDER_VARS="${PROVIDER_VARS:-} LOGROTATE_FILES_MAX_COUNT" fi diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index f9caefec296..ba27d84e38a 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -345,6 +345,10 @@ if [[ "${ENABLE_APISERVER_ADVANCED_AUDIT}" == "true" ]]; then FEATURE_GATES="${FEATURE_GATES},AdvancedAuditing=true" fi +if [[ "${ENABLE_APISERVER_BASIC_AUDIT:-}" == "true" ]]; then + echo "Warning: Basic audit logging is deprecated and will be removed. Please use advanced auditing instead." +fi + ENABLE_BIG_CLUSTER_SUBNETS="${ENABLE_BIG_CLUSTER_SUBNETS:-false}" if [[ -n "${LOGROTATE_FILES_MAX_COUNT:-}" ]]; then diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 1b89c46e570..29fd8c62215 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1365,6 +1365,12 @@ function start-kube-apiserver { # grows at 10MiB/s (~30K QPS), it will rotate after ~6 years if apiserver # never restarts. Please manually restart apiserver before this time. params+=" --audit-log-maxsize=2000000000" + # Disable AdvancedAuditing enabled by default + if [[ -z "${FEATURE_GATES:-}" ]]; then + FEATURE_GATES="AdvancedAuditing=false" + else + FEATURE_GATES="${FEATURE_GATES},AdvancedAuditing=false" + fi elif [[ "${ENABLE_APISERVER_ADVANCED_AUDIT:-}" == "true" ]]; then local -r audit_policy_file="/etc/audit_policy.config" params+=" --audit-policy-file=${audit_policy_file}"