我想要为 api-server 组件在 Kubernetes 集群上启用审计。
我已尝试过:
- 编辑 /etc/kubernetes/manifests/kube-apiserver.yaml
...
- --audit-policy-file=/etc/kubernetes/audit-policy.yaml
- --audit-log-path=/var/log/kubernetes/kube-apiserver-audit.log
- --audit-log-maxage=3
- --audit-log-maxbackup=10
- --audit-log-maxsize=100
- 编辑 /etc/kubernetes/kubeadm-config.yaml
extraArgs:
...
audit-log-path: /var/log/kubernetes/kube-apiserver-audit.log
audit-policy-file: /etc/kubernetes/audit-policy.yaml
audit-log-maxage: "3"
audit-log-maxbackup: "10"
audit-log-maxsize: "100"
extraVolumes:
...
- name: audit
hostPath: /etc/kubernetes/audit-policy.yaml
mountPath: /etc/kubernetes/audit-policy.yaml
readOnly: true
pathType: File
- name: audit-log
hostPath: /var/log/kubernetes/audit/
mountPath: /var/log/kubernetes/audit/
readOnly: false
pathType: DirectoryOrCreate
- 在 kubeadm-config 中设置此项
kubectl edit cm -n kube-system kubeadm-config
谢谢。