From c34900e569796726f03d9b55cc76ac0ea6e9d5d5 Mon Sep 17 00:00:00 2001
From: Erwan Miran <mirwan666@gmail.com>
Date: Mon, 20 Aug 2018 07:00:53 +0200
Subject: [PATCH] Define apiserver flags directly instead of relying on
 auditPolicy section in order to have the ability to redirect audit log to
 stdout with kubeadm

---
 roles/kubernetes/master/defaults/main.yml     |  2 +-
 .../templates/kubeadm-config.v1alpha2.yaml.j2 | 25 ++++++++++++++-----
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml
index e31809bbd..4f1f12fa3 100644
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@@ -26,7 +26,7 @@ force_etcd3: false
 
 # audit support
 kubernetes_audit: false
-# audit_log_path must not be set to "-" with kubeadm as it only handles a logfile named audit.log
+# path to audit log file
 audit_log_path: /var/log/audit/kube-apiserver-audit.log
 # num days
 audit_log_maxage: 30
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
index 9a72fde75..d7d6cdc05 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
@@ -12,12 +12,6 @@ etcd:
       caFile: {{ kube_config_dir }}/ssl/etcd/ca.pem
       certFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}.pem
       keyFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}-key.pem
-{% if kubernetes_audit %}
-auditPolicy:
-  logDir: {{ audit_log_hostpath }}
-  logMaxAge: {{ audit_log_maxage }}
-  path: {{ audit_policy_file }}
-{% endif %}
 networking:
   dnsDomain: {{ dns_domain }}
   serviceSubnet: {{ kube_service_addresses }}
@@ -81,6 +75,13 @@ apiServerExtraArgs:
   runtime-config: {{ kube_api_runtime_config | join(',') }}
 {% endif %}
   allow-privileged: "true"
+{% if kubernetes_audit %}
+  audit-log-path: {{ audit_log_path }}
+  audit-log-maxage: {{ audit_log_maxage }}
+  audit-log-maxbackup: {{ audit_log_maxbackups }}
+  audit-log-maxsize: {{ audit_log_maxsize }}
+  audit-policy-file: {{ audit_policy_file }}
+{% endif %}
 {% for key in kube_kubeadm_apiserver_extra_args %}
   {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
 {% endfor %}
@@ -94,6 +95,18 @@ controllerManagerExtraVolumes:
   hostPath: "{{ kube_config_dir }}/openstack-cacert.pem"
   mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
 {% endif %}
+{% if kubernetes_audit %}
+apiServerExtraVolumes:
+- name: {{ audit_policy_name }}
+  hostPath: {{ audit_policy_hostpath }}
+  mountPath: {{ audit_policy_mountpath }}
+{% if audit_log_path != "-" %}
+- name: {{ audit_log_name }}
+  hostPath: {{ audit_log_hostpath }}
+  mountPath: {{ audit_log_mountpath }}
+  Writable: true
+{% endif %}
+{% endif %}
 {% if kube_feature_gates %}
   feature-gates: {{ kube_feature_gates|join(',') }}
 {% endif %}
-- 
GitLab