Skip to content
Snippets Groups Projects
Commit c34900e5 authored by Erwan Miran's avatar Erwan Miran
Browse files

Define apiserver flags directly instead of relying on auditPolicy section in... 

Define apiserver flags directly instead of relying on auditPolicy section in order to have the ability to redirect audit log to stdout with kubeadm
parent 855f2a55
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
roles/kubernetes/master/defaults/main.yml
+ 1
1
View file @ c34900e5
...@@ -26,7 +26,7 @@ force_etcd3: false ...@@ -26,7 +26,7 @@ force_etcd3: false
# audit support # audit support
kubernetes_audit: false kubernetes_audit: false
# audit_log_path must not be set to "-" with kubeadm as it only handles a logfile named audit.log # path to audit log file
audit_log_path: /var/log/audit/kube-apiserver-audit.log audit_log_path: /var/log/audit/kube-apiserver-audit.log
# num days # num days
audit_log_maxage: 30 audit_log_maxage: 30
......
roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
+ 19
6
View file @ c34900e5
...@@ -12,12 +12,6 @@ etcd: ...@@ -12,12 +12,6 @@ etcd:
caFile: {{ kube_config_dir }}/ssl/etcd/ca.pem caFile: {{ kube_config_dir }}/ssl/etcd/ca.pem
certFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}.pem certFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}.pem
keyFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}-key.pem keyFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}-key.pem
{% if kubernetes_audit %}
auditPolicy:
logDir: {{ audit_log_hostpath }}
logMaxAge: {{ audit_log_maxage }}
path: {{ audit_policy_file }}
{% endif %}
networking: networking:
dnsDomain: {{ dns_domain }} dnsDomain: {{ dns_domain }}
serviceSubnet: {{ kube_service_addresses }} serviceSubnet: {{ kube_service_addresses }}
...@@ -81,6 +75,13 @@ apiServerExtraArgs: ...@@ -81,6 +75,13 @@ apiServerExtraArgs:
runtime-config: {{ kube_api_runtime_config | join(',') }} runtime-config: {{ kube_api_runtime_config | join(',') }}
{% endif %} {% endif %}
allow-privileged: "true" allow-privileged: "true"
{% if kubernetes_audit %}
audit-log-path: {{ audit_log_path }}
audit-log-maxage: {{ audit_log_maxage }}
audit-log-maxbackup: {{ audit_log_maxbackups }}
audit-log-maxsize: {{ audit_log_maxsize }}
audit-policy-file: {{ audit_policy_file }}
{% endif %}
{% for key in kube_kubeadm_apiserver_extra_args %} {% for key in kube_kubeadm_apiserver_extra_args %}
{{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}" {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
{% endfor %} {% endfor %}
...@@ -94,6 +95,18 @@ controllerManagerExtraVolumes: ...@@ -94,6 +95,18 @@ controllerManagerExtraVolumes:
hostPath: "{{ kube_config_dir }}/openstack-cacert.pem" hostPath: "{{ kube_config_dir }}/openstack-cacert.pem"
mountPath: "{{ kube_config_dir }}/openstack-cacert.pem" mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
{% endif %} {% endif %}
{% if kubernetes_audit %}
apiServerExtraVolumes:
- name: {{ audit_policy_name }}
hostPath: {{ audit_policy_hostpath }}
mountPath: {{ audit_policy_mountpath }}
{% if audit_log_path != "-" %}
- name: {{ audit_log_name }}
hostPath: {{ audit_log_hostpath }}
mountPath: {{ audit_log_mountpath }}
Writable: true
{% endif %}
{% endif %}
{% if kube_feature_gates %} {% if kube_feature_gates %}
feature-gates: {{ kube_feature_gates|join(',') }} feature-gates: {{ kube_feature_gates|join(',') }}
{% endif %} {% endif %}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment