透過建立稽核政策和 webhook 配置檔案,啟用 Kubernetes 稽核日誌收集於 k0s 叢集,配置 k0s 使用這些檔案,並重新啟動服務。
步驟
- 建立稽核配置目錄和檔案。執行以下命令以建立稽核政策和 webhook 配置:
sudo mkdir -p /etc/k0s/audit sudo tee /etc/k0s/audit/audit-policy.yaml << 'EOF' apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata verbs: ["create"] resources: - group: "authorization.k8s.io" resources: ["subjectaccessreviews", "selfsubjectaccessreviews", "localsubjectaccessreviews"] - level: RequestResponse verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] resources: - group: "rbac.authorization.k8s.io" resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"] - level: Metadata verbs: ["create", "update", "delete"] resources: - group: "" resources: ["serviceaccounts"] - level: None EOF sudo tee /etc/k0s/audit/audit-webhook-config.yaml << 'EOF' apiVersion: v1 kind: Config clusters: - name: audit-collector cluster: server: http://127.0.0.1:8030/k8s-audit contexts: - context: cluster: audit-collector user: "" name: default-context current-context: default-context preferences: {} users: [] EOF sudo chown -R root:root /etc/k0s/audit sudo chmod 644 /etc/k0s/audit/*.yaml - 配置 k0s 使用稽核政策和 webhook。編輯
/etc/k0s/k0s.yaml:apiVersion: k0s.k0sproject.io/v1beta1 kind: ClusterConfig metadata: name: k0s spec: api: extraArgs: audit-policy-file: /etc/k0s/audit/audit-policy.yaml audit-webhook-config-file: /etc/k0s/audit/audit-webhook-config.yaml audit-webhook-batch-max-size: "1"或者如果您沒有現有的配置文件:k0s config create > /etc/k0s/k0s.yaml # Then edit to add the extraArgs above
- 重新啟動 k0s 控制器以套用變更。
sudo systemctl restart k0scontroller
- 驗證配置。
sudo systemctl status k0scontroller sudo k0s kubectl get nodes