首页 > 其他分享 >kubernetes 集群开启审计日志

kubernetes 集群开启审计日志

时间:2024-06-05 20:56:41浏览次数:17  
标签:group kubernetes level system 集群 io 日志 k8s resources

原文链接:https://maoqide.live/posts/cloud/kubernetes-audit

Kubernetes 审计

关于 Kubernetes 审计的详细信息,可以查看官方文档:https://kubernetes.io/zh-cn/docs/tasks/debug-application-cluster/audit/

简单来说,kube-apiserver 能够记录所有请求到集群的请求和响应。根据你配置的审计策略,审计日志可以记录请求的元数据,例如请求的时间、请求的资源、请求的操作、请求的用户、请求的 IP 地址等,还可以记录了请求的响应,例如响应的状态码、响应的资源等。当然,越详细的审计策略,就会耗费更多的资源,日志量也会更大。所以你需要根据自己的需求来配置审计策略。

审计日志支持通过日志文件和 webhook 两种方式输出。我是通过日志文件的方式,然后由 vector 进行日志收集,再由 loki 进行日志存储和查询。

关于审计策略,可以根据自己的需求进行配置,最简单的配置如下:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

这是最低级别的审计策略,只记录请求的元数据,不记录请求的响应。官方还提供了一个 GCP 的脚本 configure-helper.sh,可以生成审计策略文件,可以参考脚本中的配置进行修改。

开启审计

这里记录一下我自己的配置操作,我的集群是使用 kubeadm 部署的。

1.更改 kubeadm 配置

备份 kubeadm-config

kubectl -nkube-system get cm kubeadm-config -oyaml > kubeadm-config.yaml

编辑 kubeadm-config

kubectl -nkube-system edit cm kubeadm-config

添加如下 apiserver 配置,将静态 pod 启动的 apiserver 日志目录挂载到宿主机上,方便日志收集。添加 audit 相关配置,并且将审计策略文件挂载到 apiserver 容器中。

... ...
    apiServer:
      extraArgs:
        ... ...
        audit-policy-file: /etc/kubernetes/audit/audit-policy.yaml
        audit-log-path: /var/log/kubernetes/audit/audit.log
        audit-log-maxage: "30"
        audit-log-maxbackup: "5"
        audit-log-maxsize: "200"
        log-dir: /var/log/kubernetes
        logtostderr: "false"
        v: "2"
      extraVolumes:
       - name: "audit"
         hostPath: "/etc/kubernetes/audit"
         mountPath: "/etc/kubernetes/audit"
         pathType: DirectoryOrCreate
       - name: "log"
         hostPath: "/data/logs/kubernetes"
         mountPath: "/var/log/kubernetes"
         pathType: DirectoryOrCreate
      timeoutForControlPlane: 4m0s
... ...

2.创建审计策略文件

在 control-plane 节点上创建审计策略文件。这里是我的审计策略,根据上面提到的 GCP 脚本生成的审计策略进行了一些修改,减少了一些不必要的日志记录。

cat <<EOF > /etc/kubernetes/audit/audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  # The following requests were manually identified as high-volume and low-risk,
  # so drop them.
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
      - group: "" # core
        resources: ["endpoints", "services", "services/status"]
  - level: None
    # Ingress controller reads 'configmaps/ingress-uid' through the unsecured port.
    # TODO(#46983): Change this to the ingress controller service account.
    users: ["system:unsecured"]
    namespaces: ["kube-system"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["configmaps"]
  - level: None
    users: ["kubelet"] # legacy kubelet identity
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes", "nodes/status"]
  - level: None
    userGroups: ["system:nodes"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes", "nodes/status"]
  - level: None
    users:
      - system:kube-controller-manager
      - system:cloud-controller-manager
      - system:kube-scheduler
      - system:serviceaccount:kube-system:endpoint-controller
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # core
        resources: ["endpoints"]
  - level: None
    users: ["system:apiserver"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
  - level: None
    users: ["cluster-autoscaler"]
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # core
        resources: ["configmaps", "endpoints"]
  # Don't log HPA fetching metrics.
  - level: None
    users:
      - system:kube-controller-manager
      - system:cloud-controller-manager
    verbs: ["get", "list"]
    resources:
      - group: "metrics.k8s.io"
  # Don't log these read-only URLs.
  - level: None
    nonResourceURLs:
      - /healthz*
      - /version
      - /swagger*
  # Don't log events requests because of performance impact.
  - level: None
    resources:
      - group: "" # core
        resources: ["events"]
  # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes
  - level: Request
    users: ["kubelet", "system:node-problem-detector", "system:serviceaccount:kube-system:node-problem-detector"]
    verbs: ["update","patch"]
    resources:
      - group: "" # core
        resources: ["nodes/status", "pods/status"]
    omitStages:
      - "RequestReceived"
  - level: Request
    userGroups: ["system:nodes"]
    verbs: ["update","patch"]
    resources:
      - group: "" # core
        resources: ["nodes/status", "pods/status"]
    omitStages:
      - "RequestReceived"
  # deletecollection calls can be large, don't log responses for expected namespace deletions
  - level: Request
    users: ["system:serviceaccount:kube-system:namespace-controller"]
    verbs: ["deletecollection"]
    omitStages:
      - "RequestReceived"
  # Secrets, ConfigMaps, TokenRequest and TokenReviews can contain sensitive & binary data,
  # so only log at the Metadata level.
  - level: Metadata
    resources:
      - group: "" # core
        resources: ["secrets", "configmaps", "serviceaccounts/token"]
      - group: authentication.k8s.io
        resources: ["tokenreviews"]
    omitStages:
      - "RequestReceived"
  # Get responses can be large; skip them.
  - level: Request
    verbs: ["get", "list", "watch"]
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apiextensions.k8s.io"
      - group: "apiregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "metrics.k8s.io"
      - group: "networking.k8s.io"
      - group: "node.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "scheduling.k8s.io"
      - group: "storage.k8s.io"
    omitStages:
      - "RequestReceived"
  # Default level for known APIs
  - level: RequestResponse
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apiextensions.k8s.io"
      - group: "apiregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "metrics.k8s.io"
      - group: "networking.k8s.io"
      - group: "node.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "scheduling.k8s.io"
      - group: "storage.k8s.io"
    omitStages:
      - "RequestReceived"
  # Default level for all other requests.
  - level: Metadata
    omitStages:
      - "RequestReceived"

3.更新 apiserver

最后,需要更新每台 apiserver 静态 pod,使第一步更改的 kubeadm-config 生效。在 control-plane 节点上执行:

kubeadm upgrade node --certificate-renewal=false

4.日志采集

最后,就是通过你熟悉的日志收集工具,将审计日志收集起来就可以了。

标签:group,kubernetes,level,system,集群,io,日志,k8s,resources
From: https://www.cnblogs.com/maoqide/p/18233774

相关文章

  • 手动二进制部署的 kubernetes 集群证书过期处理
    原文链接:https://maoqide.live/posts/cloud/kubernetes-certs-renew现象一个二进制部署的kubernetes集群,突然发现无法连接到apiserver,执行kubectl时报错:Unabletoconnecttotheserver:x509:certificatehasexpiredorisnotyetvalid:currenttime2024-05-31T15......
  • 跟着杨中科学习(二)日志
    日志系统日志级别Trace<Debug<Information<Warning<Error<Critical输出到控制台NugetMicrosoft.Extensions.LoggingMicrosoft.Extensions.Logging.ConsoleDI注入services.AddLogging(logBuilder=>{ logBuilder.AddConsole();//可多个ProciderlogBuilder.SetMini......
  • AnolisOS7.9(CentOS7)部署K8s(1.22.4)集群
    一.安装K8s集群1.准备工作,2台服务器①192.168.5.140-做为master节点#在该节点运行命令设置主机名:hostnamectlset-hostnamemaster②192.168.5.141-做为node1节点,在该节点运行命令设置主机名:#在该节点运行命令设置主机名:hostnamectlset-hostna......
  • docker部署hadoop集群
    docker部署hadoop集群:https://blog.51cto.com/865516915/2150651 一、主机规划3台主机:1个master、2个slaver/workerip地址使用docker默认的分配地址:master:主机名:hadoop2、ip地址:172.17.0.2 slaver1:主机名:hadoop3、ip地址:172.17.0.3主机名:hadoop4、ip地址:172.17......
  • 日志工具类之“根据标记的注解进行指定的字段日志记录-在展示方式上会美观一些”
    一、使用方法在添加、编辑等操作功能时可以使用该方案,在需要记录日志的实体类字段中进行注解标注。并标明对应的字段名二、代码1.使用LoggerUtils工具类生成日志publicJsonResultsavePrice(Priceprice){if(price.getId()!=null){String......
  • 手动二进制部署的 kubernetes 集群证书过期处理
    现象一个二进制部署的kubernetes集群,突然发现无法连接到apiserver,执行kubectl时报错:Unabletoconnecttotheserver:x509:certificatehasexpiredorisnotyetvalid:currenttime2024-05-31T15:25:02+08:00isafter2024-05-29T08:07:53Z解决排查下来原因是......
  • java框架-日志-体系与级别-技巧
     体系一是提供了统一的日志门面API,即图中紫色部分,实现了中立的日志记录API。二是桥接功能,即图中蓝色部分,用来把各种日志框架的API(图中绿色部分)桥接到SLF4JAPI。这样一来,即便你的程序中使用了各种日志API记录日志,最终都可以桥接到SLF4J门面API。三是适配功能,即图......
  • Redis 结合 Docker 搭建集群,并整合SpringBoot
    软件版本Redis7.2.5Docker26.1.3 准备工作由于docker直接拉取运行了,所以需要提前准备配置文件Indexof/releases/(redis.io)下载后,把redis-7.2.5.tar.gz\redis-7.2.5.tar\redis-7.2.5\里的redis.conf复制出来 概览结构如上图所示,准备6个服务器。 配置各节点......
  • Kubernetes - 安装方法
    Minikube:对于想要在系统上安装Kubernetes但系统资源有限的用户来说,它是理想的选择。因此,minikube的关键点在于它没有单独的Kubernetes主节点和Kubernetes工作节点架构。在这里,我们将所有Kubernetes组件打包在一起作为一体化设置。单个系统同时充当主节点和工作节点。访......
  • 【Kubernetes】k8s的调度约束(亲和与反亲和)
    一、调度约束list-watch组件Kubernetes是通过List-Watch的机制进行每个组件的协作,保持数据同步的,每个组件之间的设计实现了解耦。用户是通过kubectl根据配置文件,向APIServer发送命令,在Node节点上面建立Pod和Container。APIServer经过API调用,权限控制,调......