-
Notifications
You must be signed in to change notification settings - Fork 191
/
Copy pathgather_audit_logs
executable file
·103 lines (90 loc) · 4.09 KB
/
gather_audit_logs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!/bin/bash
# Downloads the audit.log (and its rotated copies) from
# /var/logs/{kube-apiserver,openshift-apiserver} on each
# master node.
source $(dirname "$0")/common.sh
get_log_collection_args
BASE_COLLECTION_PATH="${BASE_COLLECTION_PATH:-/must-gather}"
profile=$(oc get apiservers.v1.config.openshift.io -o jsonpath='{.items[0].spec.audit.profile}')
if [ -z "${profile}" ] || [ "${profile}" == None ]; then
if [ "${1}" == "--force" ]; then
cat << EOF
WARNING: To raise a Red Hat support request, it is required to set the top level audit policy to
Default, WriteRequestBodies, or AllRequestBodies to generate audit log events that can
be analyzed by support. Try 'oc edit apiservers' and set 'spec.audit.profile' back to
Default" and reproduce the issue while gathering audit logs.
EOF
else
cat << EOF
ERROR: To raise a Red Hat support request, it is required to set the top level audit policy to
Default, WriteRequestBodies, or AllRequestBodies to generate audit log events that can
be analyzed by support. Try 'oc edit apiservers' and set 'spec.audit.profile' back to
"Default" and reproduce the issue while gathering audit logs. You can use "--force" to
override this error.
EOF
exit 1
fi
fi
echo "WARNING: Collecting one or more audit logs on ALL masters in your cluster. This could take a large amount of time." >&2
# the command executed by xargs below expects four parameters:
# $1 - node path under /var/logs to download
# $2 - local output path
# $3 - node name
# $4 - log file name
# $5 - --since=ISO time, if provided via MUST_GATHER_SINCE_TIME
paths=(openshift-apiserver kube-apiserver oauth-apiserver etcd oauth-server)
for path in "${paths[@]}" ; do
output_dir="${BASE_COLLECTION_PATH}/audit_logs/$path"
mkdir -p "$output_dir"
oc adm node-logs ${node_log_collection_args:+"$node_log_collection_args"} --role=master --path="$path" | \
tee "${BASE_COLLECTION_PATH}/audit_logs/$path.audit_logs_listing" | \
grep -v ".terminating" | \
grep -v ".lock" | \
sed "s|^|$path $output_dir |" | \
sed "s|$| '${node_log_collection_args}'|"
done | \
xargs --max-args=5 --max-procs=45 bash -c \
'echo "INFO: Started downloading $1/$4 from $3";
oc adm node-logs ${5:+"$5"} $3 --path=$1/$4 | gzip > $2/$3-$4.gz;
echo "INFO: Finished downloading $1/$4 from $3"' \
bash
# gathers audit logs from prometheus-adapter pod running in openshift-monitoring namespace.
gather_monitoring_audit_logs() {
local prometheus_adapter_pods
prometheus_adapter_pods="$(oc get pods \
-n openshift-monitoring \
-l app.kubernetes.io/name=prometheus-adapter \
-o jsonpath='{.items[*].metadata.name}' )"
num_prom_adapter_pods=$(echo "$prometheus_adapter_pods" | wc -w)
# Only either of prometheus-adapter or metrics-server will be running
# in a cluster at a time. Currently metrics-server is tech preview but
# planning to go GA in 4.16
#
# TODO(slashpai): Remove prometheus-adapter code once it's completely removed in CMO
if [ "$num_prom_adapter_pods" -gt 0 ]; then
# NOTE: there should only be one pod for prometheus-adapter but treating it
# as array ensures multiple pods are covered as well.
for pod in $prometheus_adapter_pods; do
local output_dir="${BASE_COLLECTION_PATH}/audit_logs/monitoring/$pod"
mkdir -p "$output_dir"
echo "Collecting logs from prometheus adapter pod: $pod"
oc cp -n openshift-monitoring "$pod:var/log/adapter" "$output_dir"
done
else
local metrics_server_pods
metrics_server_pods="$(oc get pods \
-n openshift-monitoring \
-l app.kubernetes.io/name=metrics-server \
-o jsonpath='{.items[*].metadata.name}' )"
for pod in $metrics_server_pods; do
local output_dir="${BASE_COLLECTION_PATH}/audit_logs/monitoring/$pod"
mkdir -p "$output_dir"
echo "Collecting logs from metrics server pod: $pod"
oc cp -n openshift-monitoring "$pod:var/log/metrics-server" "$output_dir"
done
fi
}
gather_monitoring_audit_logs
echo "INFO: Audit logs collected."
# force disk flush to ensure that all data gathered is accessible in the copy container
sync