透過建立稽核政策和 webhook 配置檔案,啟用 RKE2 叢集上的 Kubernetes 稽核日誌收集,配置 RKE2 使用它們,並重新啟動服務。
 |
重要RKE2 以容器形式運行
kube-apiserver,因此必須將審核目錄掛載到容器中。 |
步驟
- 建立稽核配置目錄和檔案。執行以下命令以建立稽核政策和 webhook 配置:
sudo mkdir -p /var/lib/rancher/rke2/server/audit sudo tee /var/lib/rancher/rke2/server/audit/audit-policy.yaml << 'EOF' apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata verbs: ["create"] resources: - group: "authorization.k8s.io" resources: ["subjectaccessreviews", "selfsubjectaccessreviews", "localsubjectaccessreviews"] - level: RequestResponse verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] resources: - group: "rbac.authorization.k8s.io" resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"] - level: Metadata verbs: ["create", "update", "delete"] resources: - group: "" resources: ["serviceaccounts"] - level: None EOF sudo tee /var/lib/rancher/rke2/server/audit/audit-webhook-config.yaml << 'EOF' apiVersion: v1 kind: Config clusters: - name: audit-collector cluster: server: http://127.0.0.1:8030/k8s-audit contexts: - context: cluster: audit-collector user: "" name: default-context current-context: default-context preferences: {} users: [] EOF - 配置 RKE2 使用稽核政策和 Webhook。編輯或建立
/etc/rancher/rke2/config.yaml:kube-apiserver-arg: - "audit-policy-file=/var/lib/rancher/rke2/server/audit/audit-policy.yaml" - "audit-webhook-config-file=/var/lib/rancher/rke2/server/audit/audit-webhook-config.yaml" - "audit-webhook-batch-max-size=1" kube-apiserver-extra-mount: - "/var/lib/rancher/rke2/server/audit:/var/lib/rancher/rke2/server/audit:ro"
- 重新啟動 RKE2 以套用變更。
sudo systemctl restart rke2-server
- 驗證配置。
sudo systemctl status rke2-server # Check kube-apiserver flags sudo /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml \ get pod -n kube-system -l component=kube-apiserver -o yaml | grep -E "audit-policy|audit-webhook"