Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
OSDOCS-9437: adds custom audit log policies MicroShift
- Loading branch information
1 parent
a1bfa14
commit 8526a5a
Showing
7 changed files
with
188 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
:_mod-docs-content-type: ASSEMBLY | ||
[id="microshift-audit-logs-config"] | ||
= Customizing audit logging policies | ||
include::_attributes/attributes-microshift.adoc[] | ||
:context: microshift-audit-logs-config | ||
|
||
toc::[] | ||
|
||
You can use configuration values to control audit log file rotation and retention. | ||
|
||
include::modules/microshift-audit-logs-config-intro.adoc[leveloffset=+1] | ||
|
||
// About audit log profiles; OCP module, edit with conditionals and care | ||
include::modules/nodes-nodes-audit-config-about.adoc[leveloffset=+1] | ||
|
||
include::modules/microshift-audit-logs-config-proc.adoc[leveloffset=+1] | ||
|
||
include::modules/microshift-audit-logs-troubleshoot.adoc[leveloffset=+1] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
// Text snippet included in the following assemblies: | ||
// | ||
// * microshift_configuring/microshift-audit-logs-config.adoc | ||
|
||
:_mod-docs-content-type: CONCEPT | ||
[id="microshift-audit-logs-config-intro_{context}"] | ||
= About setting limits on audit log files | ||
|
||
Using configuration values to control audit log file rotation and retention can help keep far-edge devices from exceeding limited storage capacities. On such devices, logging data accumulation can limit host system or cluster workloads, potentially bricking a device. Setting audit log policies can help ensure that critical processing space is continually available. | ||
|
||
Together, the values specified in a customized audit log policy enable you to enforce the size, number, and age limits of audit log backups. Field values are processed independently of one another and without prioritization. You can set fields in combination to define a maximum storage limit for retained logs. For example: | ||
|
||
* Set both `maxFileSize` and `maxFiles` to create a log storage upper limit. | ||
* Set a `maxFileAge` value to automatically delete files older than the timestamp in the file name, regardless of the `maxFiles` value. | ||
[id="Default-audit-log-values_{context}"] | ||
== Default audit log values | ||
|
||
{microshift-short} includes the following default audit log rotation values: | ||
|
||
The `maxFileSize` default is 200Mb. | ||
The `maxFiles` default is 10 files. | ||
The `maxFileAge` default is 0, disabling the age limit. | ||
|
||
Therefore, the default maximum storage consumption of audit logs is 2000Mb, provided that all files are less than 10 days old. | ||
|
||
If you do not specify a value for a field, the default value is used. If you remove a field previously set, the default value is restored after the next {microshift-short} service restart. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
// Text snippet included in the following assemblies: | ||
// | ||
// * microshift_configuring/microshift-audit-logs-config.adoc | ||
|
||
:_mod-docs-content-type: PROCEDURE | ||
[id="microshift-configuring-audit-log-values_{context}"] | ||
= Configuring audit log values | ||
|
||
Use the {microshift-short} service configuration file to implement custom audit log settings. | ||
|
||
.Procedure | ||
|
||
. Add the following `apiServer` stanza to your {microshift-short} configuration file. If you need to make the file, run the following command: | ||
+ | ||
[source,terminal] | ||
---- | ||
$ sudo cat /etc/microshift/config.yaml | ||
---- | ||
+ | ||
.Example configuration | ||
[source,terminal] | ||
---- | ||
apiServer: | ||
auditLog: | ||
maxFileSize: 200 <1> | ||
maxFiles: 1 <2> | ||
maxFileAge: 7 <3> | ||
profile: Default <4> | ||
---- | ||
<1> The maximum audit log file size in megabytes. If the value is 0, the limit is disabled. In this example, if the live log reaches the 200Mb limit, it is rotated, causing any existing log backup to be deleted. | ||
<2> The maximum number of rotated audit log files to retain. After the limit is reached, the log files in order from oldest to newest are deleted until the specified limits are reached. When the value is 0, the limit is disabled. In this example, the value `1` results in only 1 file of size `maxFileSize` being retained in addition to the current active log. | ||
<3> Specifies the maximum time in days that log files are kept. Files older than this limit will be deleted. When the value is 0, the limit is disabled. In this example, after a log file is more than 7 days old, it is deleted. The deletion happens regardless of whether the live log has reached the maximum file size as give in the `maxFileSize` field value. | ||
<4> Logs only metadata for read and write requests; does not log request bodies except for OAuth access token requests. If you do not specify this field, the Default profile is used. | ||
|
||
. To specify a specific directory for logs, move the `/var/log/kube-apiserver` directory to your desired location by running the following command: | ||
+ | ||
[source,terminal] | ||
---- | ||
$ sudo mv /var/log/kube-apiserver <~/kube-apiserver> <1> | ||
---- | ||
<1> Replace _<~/kube-apiserver>_ with the path to the directory that you want to use. | ||
|
||
. Create a symlink to your custom directory at `/var/log/kube-apiserver` by running the following command: | ||
+ | ||
[source,terminal] | ||
---- | ||
$ sudo ln -s <~/kube-apiserver> /var/log/kube-apiserver <1> | ||
---- | ||
<1> Replace _<~/kube-apiserver>_ with the path to the directory that you want to use. | ||
|
||
. If you are configuring audit log policies on a running instance, restart {microshift-short} by entering the following command: | ||
+ | ||
[source,terminal] | ||
---- | ||
$ sudo systemctl restart microsohift | ||
---- | ||
|
||
//TODO Verification steps |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
// Text snippet included in the following assemblies: | ||
// | ||
// * microshift_configuring/microshift-audit-logs-config.adoc | ||
|
||
:_mod-docs-content-type: PROCEDURE | ||
[id="microshift-troubleshooting-audit-logs_{context}"] | ||
= Troubleshooting audit log configuration | ||
|
||
Use the following steps to troubleshoot custom audit log settings and file locations. | ||
|
||
.Procedure | ||
|
||
* Check the current values that are configured by running the following command: | ||
+ | ||
[source,terminal] | ||
---- | ||
$ sudo microshift show-config --mode effective | ||
---- | ||
.Example output | ||
[source,yaml] | ||
---- | ||
auditLog: | ||
maxFileSize: 200 | ||
maxFiles: 1 | ||
maxFileAge: 7 | ||
profile: AllRequestBodies | ||
---- | ||
* Check the `audit.log` file permissions by running the following command: | ||
+ | ||
[source,terminal] | ||
---- | ||
$ sudo ls -ltrh /var/log/kube-apiserver/audit.log | ||
---- | ||
+ | ||
.Example output | ||
[source,terminal] | ||
---- | ||
-rw-------. 1 root root 46M Mar 12 09:52 /var/log/kube-apiserver/audit.log | ||
---- | ||
//TODO update for custom directory | ||
* List the contents of the current log directory by running the following command: | ||
+ | ||
[source,terminal] | ||
---- | ||
$ sudo ls -ltrh /var/log/kube-apiserver/ | ||
---- | ||
+ | ||
.Example output | ||
[source,terminal] | ||
---- | ||
total 6.0M | ||
-rw-------. 1 root root 2.0M Mar 12 10:56 audit-2024-03-12T14-56-16.267.log | ||
-rw-------. 1 root root 2.0M Mar 12 10:56 audit-2024-03-12T14-56-49.444.log | ||
-rw-------. 1 root root 962K Mar 12 10:57 audit.log | ||
---- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters