diff --git a/kind/audit/add/splunk.conf b/kind/audit/add/splunk.conf new file mode 100644 index 0000000..4bd0d79 --- /dev/null +++ b/kind/audit/add/splunk.conf @@ -0,0 +1,36 @@ + +[FILTER] + Name rewrite_tag + Match audit + Rule $kind Event tosplunk true + +[FILTER] + Name nest + Match tosplunk + Operation nest + Wildcard * + Nest_under event + +[FILTER] + Name record_modifier + Match tosplunk + Record host cluster-name + Record sourcetype kube:apiserver:auditlog + Record source apiserver-pod-name + Record index REPLACE_WITH_SPLUNK_INDEX + +[OUTPUT] + Name splunk + Match tosplunk + Host REPLACE_WITH_SPLUNK_HEC_ENDPOINT + Port REPLACE_WITH_PORT + Splunk_Token REPLACE_WITH_SPLUNK_HEC_TOKEN + TLS On + TLS.Verify On + Retry_Limit False + Splunk_Send_Raw On + +[OUTPUT] + Name stdout + Match tosplunk + Format json_lines diff --git a/kind/kustomize-auditforwarder-splunk/kube-apiserver_patch.yaml b/kind/kustomize-auditforwarder-splunk/kube-apiserver_patch.yaml new file mode 100644 index 0000000..99fbd8f --- /dev/null +++ b/kind/kustomize-auditforwarder-splunk/kube-apiserver_patch.yaml @@ -0,0 +1,32 @@ +- op: add + path: /spec/containers/1 + value: + image: ghcr.io/metal-stack/audit-forwarder:pr-add-splunk + imagePullPolicy: Always + name: audit-forwarder + env: + - name: AUDIT_KUBECFG + value: "/kube.config" + - name: AUDIT_LOG_LEVEL + value: "info" + volumeMounts: + - mountPath: /auditlog + name: auditlog + - mountPath: /kube.config + name: kubeconfig + - mountPath: /fluent-bit/etc/add + name: add-config +- op: add + path: /spec/volumes/0 + value: + hostPath: + path: /etc/kubernetes/audit/kube.config + type: File + name: kubeconfig +- op: add + path: /spec/volumes/0 + value: + hostPath: + path: /etc/kubernetes/audit/add + type: Directory + name: add-config \ No newline at end of file diff --git a/kind/kustomize-auditforwarder-splunk/kustomization.yaml b/kind/kustomize-auditforwarder-splunk/kustomization.yaml new file mode 100644 index 0000000..29e5372 --- /dev/null +++ b/kind/kustomize-auditforwarder-splunk/kustomization.yaml @@ -0,0 +1,7 @@ +resources: +- kube-apiserver.yaml +patches: +- path: kube-apiserver_patch.yaml + target: + kind: Pod + name: kube-apiserver diff --git a/kind/make-audit-forwarder-splunk b/kind/make-audit-forwarder-splunk new file mode 100755 index 0000000..fcb4a19 --- /dev/null +++ b/kind/make-audit-forwarder-splunk @@ -0,0 +1,31 @@ +#!/bin/sh + +# First check if a forwarder has already been applied and get the kube-apiserver manifest if it isn't. +if grep forwarder kind-etc-kubernetes/manifests/kube-apiserver.yaml >/dev/null; then + echo "Forwarder config already applied." + if [ ! -f kustomize-auditforwarder-splunk/kube-apiserver.yaml ]; then + echo "No saved kube-apiserver manifest exists, exiting." + exit + else + if grep forwarder kustomize-auditforwarder-splunk/kube-apiserver.yaml >/dev/null; then + echo "Saved config contains forwarder too, can not patch. Exiting." + exit + fi + fi +else + echo "Getting kube-apiserver manifest." + cp kind-etc-kubernetes/manifests/kube-apiserver.yaml kustomize-auditforwarder-splunk/ +fi + +# Patch the generated kind kubeconfig with the apiserver URL valid from within the cluster. + +echo "Generating the in-cluster kubeconfig:" + +# Get the IP and port from the apiserver manifest: +line=`grep kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint kustomize-auditforwarder-splunk/kube-apiserver.yaml` +apiserver=${line##*kubeadm.kubernetes.io\/kube-apiserver.advertise-address.endpoint:?} + +sed "s+https://.*$+https://$apiserver+" kube.config >kind-etc-kubernetes/audit/kube.config + +echo "Patching and applying the kube-apiserver manifest:" +kustomize build kustomize-auditforwarder-splunk >kind-etc-kubernetes/manifests/kube-apiserver.yaml