k8s学习-CKS真题-日志审计 log audit

---

题目

Task
在 cluster 中启用审计日志。为此，请启用日志后端，并确保：
   日志存储在 /var/log/kubernetes/audit-logs.txt
   日志文件能保留 10 天
   最多保留 2 个旧审计日志文件
/etc/kubernetes/logpolicy/sample-policy.yaml 提供了基本策略。它仅指定不记录的内容。
注意：基本策略位于 cluster 的 master 节点上。

编辑和扩展基本策略以记录：
   RequestResponse 级别的 persistentvolumes 更改
   namespace front-apps 中 configmaps 更改的请求体
   Metadata 级别的所有 namespace 中的 ConfigMap 和 Secret 的更改
此外，添加一个全方位的规则以在 Metadata 级别记录所有其他请求。
注意：不要忘记应用修改后的策略。

kube-apiserver.yaml选项解释：
- -audit-policy-file 指定审计策略文件
- -audit-log-path 指定用来写入审计事件的日志文件路径。不指定此标志会禁用日志后端。
- -audit-log-maxage 定义保留旧审计日志文件的最大天数
- -audit-log-maxbackup 定义要保留的审计日志文件的最大数量
- -audit-log-maxsize 定义审计日志文件轮转之前的最大大小（兆字节）

更多见参考

环境搭建

命令

mkdir -p /etc/kubernetes/logpolicy/
vim /etc/kubernetes/logpolicy/sample-policy.yaml

内容

apiVersion: audit.k8s.io/v1
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]
  # Don't log authenticated requests to certain non-resource URL paths.    
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*"  # Wildcard matching.
    - "/version"
  # Please do not delete the above rule content, you can continue add it below.

解题

命令

vim /etc/kubernetes/logpolicy/sample-policy.yaml

内容

apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]

  # Don't log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"
  # Please do not delete the above rule content, you can continue add it below.
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      resources: ["persistentvolumes"]
  # Log "pods/log", "pods/status" at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["secrets", "configmaps"]

  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    namespaces: ["front-apps"]
  # A catch-all rule to log all other requests at the Metadata level.
  - level: Metadata
    # Long-running requests like watches that fall under this rule will not
    # generate an audit event in RequestReceived.
    omitStages:
      - "RequestReceived"

截图

修改kube-apiserverl.yaml配置文件
命令

vim /etc/kubernetes/manifests/kube-apiserver.yaml

添加以下四个启动项

- --audit-log-path=/var/log/kubernetes/audit-logs.txt
- --audit-policy-file=/etc/kubernetes/logpolicy/sample-policy.yaml
- --audit-log-maxage=10
- --audit-log-maxbackup=2

截图

截图

重启kubelet
命令

systemctl daemon-reload
systemctl restart kubelet

截图

模拟题

参考

k8s-审计