Skip to content

Commit

Permalink
adds dynamic audit debug documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
pbarker committed Aug 21, 2018
1 parent f8e4d35 commit 7dc4140
Showing 1 changed file with 38 additions and 0 deletions.
38 changes: 38 additions & 0 deletions content/en/docs/tasks/debug-application-cluster/audit.md
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,44 @@ same format as described above to the aggregated apiserver and set up the log in
to pick up audit logs. Different apiservers can have different audit configurations and different
audit policies.

## Dynamic Auditing

As of version 1.12 audit backends can be configured dynamically as api objects.

To enable the feature a number of api server flags must be set:
- `--audit-dynamic-configuration` the primary switch, once the feature progresses to GA this will be
the only flag needed
- `--feature-gates=DynamicAuditing=true` Feature gate
- `--runtime-config=audit.k8s.io/v1alpha1=true` Forces alpha version
- `--storage-versions=audit.k8s.io/v1alpha1` Uses storage for alpha version

Once enabled, a backend can be provisioned:
```yaml
apiVersion: audit.k8s.io/v1beta1
kind: AuditConfiguration
metadata:
name: <name>
policy:
rules:
- level: <level>
omitStages:
- stage: <stage>
backend:
webhook:
initialBackoff: <10s>
throttleBurst: <15>
throttleEnabled: <true>
throttleQPS: <10>
clientConfig:
url: <backend url>
service:
name: <service name>
namespace: <service namespace>
caBundle: <ca bundle>
```

The full api defintion can be found in the [types file](https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go). Multiple objects will exist as independent solutions. If the policy section is omitted the backend will resort to the static policy set by the apiserver flags if available. Dynamic policy will have no effect on backends configured from runtime flags. Administrators should be cognizant that allowing write access to this feature grants read access to all cluster data. Access should be regarded as a `cluster-admin` level privilege.

## Log Collector Examples

### Use fluentd to collect and distribute audit events from log file
Expand Down

0 comments on commit 7dc4140

Please sign in to comment.