K8s 开启审计日志
一、背景
- 应安全规范,对 apiserver 核心组件,需要记录,"谁在什么时候操作了什么"
- 方便故障排查
二、操作步骤
apiserver 开启审计日志
在所有 master 节点执行
-
备份 配置文件
mkdir -p /home/clay/bak$(date +%F) cp /etc/kubernetes/manifests/kube-apiserver.yaml /home/clay/bak$(date +%F)
-
创建审计策略
mkdir /etc/kubernetes/audit/
vim /etc/kubernetes/audit/audit-policy.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required. kind: Policy omitStages: - "RequestReceived" rules: - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" # core resources: ["endpoints", "services"] - level: None users: ["system:unsecured"] namespaces: ["kube-system"] verbs: ["get"] resources: - group: "" # core resources: ["configmaps"] - level: None users: ["system:serviceaccount:kube-system:calico-node"] verbs: ["get","list"] - level: None users: ["kubelet"] # legacy kubelet identity verbs: ["get"] resources: - group: "" # core resources: ["nodes"] - level: None userGroups: ["system:nodes"] verbs: ["get"] resources: - group: "" # core resources: ["nodes"] - level: None users: - system:kube-controller-manager - system:kube-scheduler - system:serviceaccount:kube-system:endpoint-controller verbs: ["get", "update"] namespaces: ["kube-system"] resources: - group: "" # core resources: ["endpoints"] - level: None users: ["system:apiserver"] verbs: ["get"] resources: - group: "" # core resources: ["namespaces"] - level: None nonResourceURLs: - /healthz* - /version - /swagger* - level: None resources: - group: "" # core resources: ["events"] - level: Metadata resources: - group: "" # core resources: ["secrets", "configmaps"]