---
# System prepended metadata

title: 第十四题 Audit
tags: [真题讲解]

---

# 第十四题 Audit
###### tags: `真题讲解`

切换集群kubectl config use-context k8s

**Task**
Enable audit logs in the cluster.To do so, enable the log backend, and ensure that: 
* logs are stored at **/var/log/kubernetes/audit-logs.txt** 
* log files are retained for **5 days** 
* At maximum, a number of 10 auditlog files are retained

A basic policy is provided at /etc/kubernetes/logpolicy/sample-policy.yaml . it only specifies what not to log.

The base policy is located on the cluster's master node.
Edit and extend the basic policy to log:

* namespaces changes at RequestResponse level
* the request body of pods changes in the namespace **front-apps**
* configMap and secret changes in all namespaces at the Metadata level

Also, add a catch-all rule to log all other requests at the Metadata level.
Don't forget to apply the modified policy.


## 解法
考试时, 直接参考官方文档. [k8s.io/audit](https://v1-20.docs.kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy)

我在Miro上画的Audit逻辑图, 供理解参考
![](https://i.imgur.com/u6Dcclf.png)

步骤1, 创建Audit Policy, 根据题意, 参考官网范例:
```
// 举例我的Audit Policy放在/etc/kubernetes/audit文件夹下, 具体位置审题
root@ubuk8s-vm01:/etc/kubernetes/audit# ls
audit_policy.yaml  audit_policy.yaml.bak
```
根据题意我认为解法
```
vim audit_policy.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
rules:
  - level: RequestResponse
  
  - level: Request
    resources:
    - group: "" 
      resources: ["pods"]
    namespaces: ["front-apps"]
    
  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["configmaps","secrets"]

  - level: Metadata
```
然后根据题意修改Kube-apiserver参数:
![](https://i.imgur.com/DfrW5Nr.png)

确保Audit Policy文件路径和Log输出位置已经正确的挂在在Kube-apiserver上.

**Tips: Log输出位置type: FileOrCreate, 挂在时readOnly: false, 在官网文档下方有范例**
```
    - mountPath: /etc/kubernetes/audit/audit_policy.yaml
      name: audit
      readOnly: true
    - mountPath: /var/log/kubernetes/audit-logs.txt
      name: audit-log
      readOnly: false
      
volumes:
  - hostPath:
      path: /etc/kubernetes/audit/audit_policy.yaml
      type: File
    name: audit
  - hostPath:
      path: /var/log/kubernetes/audit-logs.txt
      type: FileOrCreate
    name: audit-log
```

## 校验
1. 先确保Apiserver能够正常启动, 如果不能不要慌, 练习的时候参考[cks-exam-series-4-crash-that-apiserver](https://itnext.io/cks-exam-series-4-crash-that-apiserver-5f4d3d503028) 学习一下如果Debug
2. 在/var/log/kubernetes路径下找到audit-logs.txt (kubernetes这个文件夹如果没有, 则需要手工创建, 否则Apiserver启动失败因为无法挂载, audit-logs.txt不需要手工创建)
3. `tail -f audit-logs.txt | jq` 看到日志在持续输出就行了