色综合天天综合网无码不卡,亚洲欧美日韩国产成人一区,婷婷六月综合缴情在线

審計（Auditing）產生于API Server內部，用于記錄對Kubernetes API的請求以及請求結果。ACK集群提供API Server的審計日志，幫助集群管理人員排查“什么人在什么時間對什么資源做了什么操作”，可用于追溯集群操作歷史、排查集群故障等，降低集群安全運維壓力。

前提條件

已創建注冊集群，并將自建Kubernetes集群接入注冊集群。具體操作，請參見通過控制臺創建注冊集群。

步驟一：在Master節點上修改審計配置策略文件

依次登錄所有Master節點，在審計配置策略文件的路徑/etc/kubernetes/audit-policy.yaml，請根據以下內容修改審計配置策略：

說明

若您的集群版本低于1.24，apiVersion請使用audit.k8s.io/v1beta1，若集群版本大于等于1.24，則使用audit.k8s.io/v1。更多詳細信息，請參見Kubernetes 1.24版本說明。

apiVersion: audit.k8s.io/v1beta1 
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # The following requests were manually identified as high-volume and low-risk,
  # so drop them.
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
      - group: "" # core
        resources: ["endpoints", "services"]
  - level: None
    users: ["system:unsecured"]
    namespaces: ["kube-system"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["configmaps"]
  - level: None
    users: ["kubelet"] # legacy kubelet identity
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    userGroups: ["system:nodes"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    users:
      - system:kube-controller-manager
      - system:kube-scheduler
      - system:serviceaccount:kube-system:endpoint-controller
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # core
        resources: ["endpoints"]
  - level: None
    users: ["system:apiserver"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["namespaces"]
  # Don't log these read-only URLs.
  - level: None
    nonResourceURLs:
      - /healthz*
      - /version
      - /swagger*
  # Don't log events requests.
  - level: None
    resources:
      - group: "" # core
        resources: ["events"]
  # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
  # so only log at the Metadata level.
  - level: Metadata
    resources:
      - group: "" # core
        resources: ["secrets", "configmaps"]
      - group: authentication.k8s.io
        resources: ["tokenreviews"]
  # Get repsonses can be large; skip them.
  - level: Request
    verbs: ["get", "list", "watch"]
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Default level for known APIs
  - level: RequestResponse
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Default level for all other requests.
  - level: Metadata

步驟二：在Master節點上配置Kube API Server文件

依次登錄所有Master節點機器，在Kube API Server文件的路徑/etc/kubernetes/manifests/kube-apiserver.yaml，請完成以下相關配置：

根據以下示例添加command參數--audit-log-*：

...
spec:
  containers:
  - command:
    - kube-apiserver
    - --audit-log-maxbackup=10
    - --audit-log-maxsize=100
    - --audit-log-path=/var/log/kubernetes/kubernetes.audit
    - --audit-log-maxage=30
    - --audit-policy-file=/etc/kubernetes/audit-policy.yaml
    ...

根據以下示例添加env參數aliyun_logs_audit-*：

...
spec:
  containers:
  - command:
    - kube-apiserver
    - --audit-log-maxbackup=10
    - --audit-log-maxsize=100
    - --audit-log-path=/var/log/kubernetes/kubernetes.audit
    - --audit-log-maxage=30
    - --audit-policy-file=/etc/kubernetes/audit-policy.yaml
    ...
    ...
    env:
    - name: aliyun_logs_audit-${cluster_id}
      value: /var/log/kubernetes/kubernetes.audit
    - name: aliyun_logs_audit-${cluster_id}_tags
      value: audit=apiserver
    - name: aliyun_logs_audit-${cluster_id}_product
      value: k8s-audit
    - name: aliyun_logs_audit-${cluster_id}_jsonfile
      value: "true"
    image: registry-vpc.cn-shenzhen.aliyuncs.com/acs/kube-apiserver:v1.20.4-aliyun.1

重要

需要將{cluster_id}替換為您集群的Cluster ID。關于集群ID的獲取，請參見查看集群信息。

根據以下示例掛載/etc/kubernetes/audit-policy.yaml到API Server Pod。

...
spec:
  containers:
  - command:
    - kube-apiserver
    - --audit-log-maxbackup=10
    - --audit-log-maxsize=100
    - --audit-log-path=/var/log/kubernetes/kubernetes.audit
    - --audit-log-maxage=30
    - --audit-policy-file=/etc/kubernetes/audit-policy.yaml
    ...
    ...
    env:
    - name: aliyun_logs_audit-${cluster_id}
      value: /var/log/kubernetes/kubernetes.audit
    - name: aliyun_logs_audit-${cluster_id}_tags
      value: audit=apiserver
    - name: aliyun_logs_audit-${cluster_id}_product
      value: k8s-audit
    - name: aliyun_logs_audit-${cluster_id}_jsonfile
      value: "true"
    image: registry-vpc.cn-shenzhen.aliyuncs.com/acs/kube-apiserver:v1.20.4-aliyun.1
    ...
    ...
    volumeMounts:
    - mountPath: /var/log/kubernetes
      name: k8s-audit
    - mountPath: /etc/kubernetes/audit-policy.yaml
      name: audit-policy
      readOnly: true
    ...
    ...
  volumes:
  - hostPath:
      path: /var/log/kubernetes
      type: DirectoryOrCreate
    name: k8s-audit
  - hostPath:
      path: /etc/kubernetes/audit-policy.yaml
      type: FileOrCreate
    name: audit-policy
  ...

步驟三：安裝logtail-ds日志組件

關于安裝logtail-ds日志組件的具體操作，請參見步驟二：安裝logtail-ds組件。

后續步驟

關于如何使用和查看集群API Server審計功能，請參見使用集群API Server審計功能。

日本熟妇hd丰满老熟妇,中文字幕一区二区三区在线不卡 ,亚洲成片在线观看,免费女同在线一区二区

在注冊集群中啟用集群API Server審計功能