透過建立稽核政策和 webhook 配置檔案,啟用 RKE1 叢集上的 Kubernetes 稽核日誌收集,配置 RKE1 使用這些檔案,並重新啟動服務。
 |
重要
|
步驟
- 準備審核配置檔案。執行以下命令以建立稽核政策和 webhook 配置:
sudo mkdir -p /etc/kubernetes/audit sudo tee /etc/kubernetes/audit/audit-policy.yaml << 'EOF' apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata verbs: ["create"] resources: - group: "authorization.k8s.io" resources: ["subjectaccessreviews", "selfsubjectaccessreviews", "localsubjectaccessreviews"] - level: RequestResponse verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] resources: - group: "rbac.authorization.k8s.io" resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"] - level: Metadata verbs: ["create", "update", "delete"] resources: - group: "" resources: ["serviceaccounts"] - level: None EOF sudo tee /etc/kubernetes/audit/audit-webhook-config.yaml << 'EOF' apiVersion: v1 kind: Config clusters: - name: audit-collector cluster: server: http://127.0.0.1:8030/k8s-audit contexts: - context: cluster: audit-collector user: "" name: default-context current-context: default-context preferences: {} users: [] EOF - 使用稽核配置更新
cluster.yml。services: kube-api: extra_args: audit-policy-file: /etc/kubernetes/audit/audit-policy.yaml audit-webhook-config-file: /etc/kubernetes/audit/audit-webhook-config.yaml audit-webhook-batch-max-size: "1" extra_binds: - "/etc/kubernetes/audit:/etc/kubernetes/audit:ro" - 套用變更。
rke up --config cluster.yml
- 驗證設定。
# Check kube-apiserver container is running with audit flags docker inspect $(docker ps -q -f name=kube-apiserver) | grep -i audit # Check audit collector logs kubectl logs -n trendmicro-system -l app.kubernetes.io/component=trendmicro-audit-log-collector --tail=20 # Restart api server if config is not applied docker restart $(docker ps -q -f name=kube-apiserver)