Skip to content

Commit

Permalink
[vcluster]: Add audit feature to apiserver
Browse files Browse the repository at this point in the history 
Signed-off-by: Adrian Berger <[email protected]>
  • Loading branch information
@adberger
adberger committed Oct 7, 2024
1 parent 8342aa7 commit e43a02c
Show file tree
Hide file tree
Showing 6 changed files with 87 additions and 6 deletions.
4 changes: 2 additions & 2 deletions charts/vcluster/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: vcluster
description: Virtual Kubernetes Cluster
type: application
version: 0.5.7
version: 0.6.0
appVersion: 0.1.0
keywords:
- vcluster
Expand All @@ -16,4 +16,4 @@ maintainers:
dependencies:
- name: common
version: 2.14.1
repository: https://charts.bitnami.com/bitnami
repository: http://charts.bitnami.com/bitnami
12 changes: 10 additions & 2 deletions charts/vcluster/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

__This Chart is under active development! We try to improve documentation and values consistency over time__

![Version: 0.5.7](https://img.shields.io/badge/Version-0.5.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

Virtual Kubernetes Cluster

Expand All @@ -18,7 +18,7 @@ Virtual Kubernetes Cluster

| Repository | Name | Version |
|------------|------|---------|
| https://charts.bitnami.com/bitnami | common | 2.14.1 |
| http://charts.bitnami.com/bitnami | common | 2.14.1 |

# Major Changes

Expand Down Expand Up @@ -410,6 +410,14 @@ Deploys [Kubernetes API Server](https://kubernetes.io/docs/reference/command-lin
| kubernetes.apiServer.affinity | object | `{}` | Affinity |
| kubernetes.apiServer.annotations | object | `{}` | Annotations for Workload |
| kubernetes.apiServer.args | object | `{}` | Extra arguments for the kube-apiserver |
| kubernetes.apiServer.audit.enabled | bool | `false` | Enable Audit Log |
| kubernetes.apiServer.audit.maxAge | int | `7` | Defines the maximum number of days to retain old audit log files |
| kubernetes.apiServer.audit.maxBackup | int | `2` | Defines the maximum number of audit log files to retain |
| kubernetes.apiServer.audit.maxSize | int | `100` | Defines the maximum size in megabytes of the audit log file before it gets rotated |
| kubernetes.apiServer.audit.policy | string | `"# Log all requests at the Metadata level.\napiVersion: audit.k8s.io/v1\nkind: Policy\nrules:\n - level: Metadata\n"` | Audit Policy |
| kubernetes.apiServer.audit.truncateEnabled | bool | `false` | Whether event and batch truncating is enabled |
| kubernetes.apiServer.audit.truncateMaxBatchSize | int | `10485760` | Maximum size in bytes of the batch sent to the underlying backend |
| kubernetes.apiServer.audit.truncateMaxEventSize | int | `102400` | Maximum size in bytes of the audit event sent to the underlying backend |
| kubernetes.apiServer.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler |
| kubernetes.apiServer.autoscaling.maxReplicas | int | `5` | Maximum available Replicas |
| kubernetes.apiServer.autoscaling.minReplicas | int | `1` | Minimum available Replicas |
Expand Down
30 changes: 30 additions & 0 deletions charts/vcluster/templates/components/kubernetes/apiserver/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,18 @@ spec:
- --advertise-address={{ . }}
{{- end }}
{{- end }}
{{- if $kubernetes.apiServer.audit.enabled }}
- --audit-policy-file=/etc/kubernetes/audit-policy.yaml
- --audit-log-path=/var/log/kubernetes/audit/audit.log
- --audit-log-maxage={{ $kubernetes.apiServer.audit.maxAge }}
- --audit-log-maxbackup={{ $kubernetes.apiServer.audit.maxBackup }}
- --audit-log-maxsize={{ $kubernetes.apiServer.audit.maxSize }}
{{- if $kubernetes.apiServer.audit.truncateEnabled }}
- --audit-log-truncate-enabled={{ $kubernetes.apiServer.audit.truncateEnabled }}
- --audit-log-truncate-max-batch-size={{ $kubernetes.apiServer.audit.truncateMaxBatchSize }}
- --audit-log-truncate-max-event-size={{ $kubernetes.apiServer.audit.truncateMaxEventSize }}
{{- end }}
{{- end }}
{{- with $kubernetes.apiServer.args }}
{{- include "pkg.utils.args" (dict "args" . "ctx" $) | nindent 8 }}
{{- end }}
Expand Down Expand Up @@ -171,6 +183,15 @@ spec:
name: konnectivity-uds
{{- end }}
{{- end }}
{{- if $kubernetes.apiServer.audit.enabled }}
- mountPath: /etc/kubernetes/audit-policy.yaml
name: audit
readOnly: true
subPath: audit-policy.yaml
- mountPath: /var/log/kubernetes/audit/
name: audit-log
readOnly: false
{{- end }}
{{- with $kubernetes.apiServer.volumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
Expand Down Expand Up @@ -207,6 +228,15 @@ spec:
{{- include "kubernetes.konnectivityServer.volumes" $ | nindent 6 }}
{{- end }}
{{- end }}
{{- if $kubernetes.apiServer.audit.enabled }}
- configMap:
name: "{{ $fullName }}-audit-policy"
name: audit
- name: audit-log
hostPath:
path: /var/log/kubernetes/audit/
type: DirectoryOrCreate
{{- end }}
{{- with $kubernetes.apiServer.volumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
Expand Down
18 changes: 18 additions & 0 deletions charts/vcluster/templates/components/kubernetes/apiserver/policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if (include "kubernetes.enabled" $) -}}
{{- $kubernetes := $.Values.kubernetes -}}
{{- if and $kubernetes.apiServer.enabled $kubernetes.apiServer.audit.enabled -}}
{{- $fullName := include "kubernetes.fullname" . -}}
{{- $component_name := "apiserver" -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $fullName }}-audit-policy
labels: {{- include "kubernetes.labels" $ | nindent 4 }}
{{ include "pkg.common.labels.component" $ }}: {{ $component_name }}
namespace: {{ $.Release.Namespace }}
data:
audit-policy.yaml: |
{{- $kubernetes.apiServer.audit.policy | nindent 4 }}
{{- end -}}
{{- end -}}
27 changes: 26 additions & 1 deletion charts/vcluster/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -998,7 +998,6 @@ osm:
# -- Benchmark Memory Usage
targetMemoryUtilizationPercentage:


# ----------------------------
# Kubernetes Component
# ----------------------------
Expand Down Expand Up @@ -1453,6 +1452,32 @@ kubernetes:
# -- Assign additional Annotations
annotations: {}

# API Server Audit Configuration
audit:
# -- Enable Audit Log
enabled: false

# -- Defines the maximum number of days to retain old audit log files
maxAge: 7
# -- Defines the maximum number of audit log files to retain
maxBackup: 2
# -- Defines the maximum size in megabytes of the audit log file before it gets rotated
maxSize: 100
# -- Whether event and batch truncating is enabled
truncateEnabled: false
# -- Maximum size in bytes of the batch sent to the underlying backend
truncateMaxBatchSize: 10485760
# -- Maximum size in bytes of the audit event sent to the underlying backend
truncateMaxEventSize: 102400

# -- Audit Policy
policy: |
# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
controllerManager:
# -- Enable Kubernetes Controller-Manager
enabled: true
Expand Down
2 changes: 1 addition & 1 deletion ct.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ chart-dirs:
chart-repos:
- buttahtoast=https://buttahtoast.github.io/helm-charts/
- bedag=https://bedag.github.io/helm-charts/
- bitnami=https://charts.bitnami.com/bitnami
- bitnami=http://charts.bitnami.com/bitnami
validate-chart-schema: true
validate-maintainers: false
validate-yaml: true
Expand Down

0 comments on commit e43a02c

Please sign in to comment.