k8s v1.19.0
# /etc/kubernetes/pki/audit-policy.yaml
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
- level: Request
resources:
- group: ""
- level: RequestResponse
resources:
- group: ""
- level: Metadata
resources:
- group: ""
kube-apiserver pod中增加如下配置
# 启动参数
--audit-policy-file=/etc/kubernetes/audit/audit-policy.yaml
--audit-log-format=json
--audit-log-path=/etc/kubernetes/audit/kube-apiserver-audit.log
--audit-log-maxage=30
--audit-log-maxbackup=3
--audit-log-maxsize=1024
# 容器挂载
- mountPath: /etc/kubernetes/audit
name: k8s-audit
# 主机挂载
- hostPath:
path: /etc/kubernetes/audit
type: DirectoryOrCreate
name: k8s-audit
--audit-policy-file:审计策略
--audit-log-format:审计日志格式
--audit-log-path:审计日志路径
--audit-log-maxage:保留审计日志的最大天数
--audit-log-maxbackup:保留审计日志的最大数量
--audit-log-maxsize:保留审计日志的最大MB
查看kube-apiserver审计日志
tail -f /etc/kubernetes/audit/kube-apiserver-audit.log
有请求收到时间和请求处理完成时间。
- kube-apiserver apiserver kubekube-apiserver kube-apiserver kubernetes apiserver kube kube-apiserver apiserver kube kube-apiserver kubernetes apiserver流程 kube-apiserver kubernetes apiserver scheme kube-apiserver apiserver namespace版本 kube-apiserver apiserver内存 工具 kube-apiserver端口apiserver kube kube-apiserver apiserver能力kube kube-apiserver apiserver接口 证书