RP:
Hi All, in the lab for audit logs, the last question asks to create a policy and enable auditing logs in the cluster (kubeadm). I edited the kube-apiserver manifest file to enable the audit logging, but the kube-apiserver is not restarting properly. Anybody else faced this same problem?
Config added to the Kube-apiserver manifest file:
- --audit-log-path=/var/log/prod-secrets.log
- --audit-policy-file=/etc/kubernetes/prod-audit.yaml
- --audit-log-maxage=30
- mountPath: /etc/kubernetes/prod-audit.yaml
name: audit
readOnly: true
- mountPath: /var/log/prod-secrets.log
name: audit-log
readOnly: false
- name: audit
hostPath:
path: /etc/kubernetes/prod-audit.yaml
type: File - name: audit-log
hostPath:
path: /var/log/prod-secrets.log
type: FileOrCreate
Policy file created:
cat /etc/kubernetes/prod-audit.yaml
apiVersion: http://audit.k8s.io/v1|audit.k8s.io/v1
kind: Policy
rules:
- namespaces: [“prod”]
verbs: [“delete”]
resources:- groups: “”
resources: [“secrets”]
level: metadata
root@controlplane:~#
- groups: “”
Error:
root@controlplane:~# kubectl get pods -n kube-system
The connection to the server controlplane:6443 was refused - did you specify the right host or port?
root@controlplane:~#
root@controlplane:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e7f7e42bab76 http://k8s.gcr.io/pause:3.2|k8s.gcr.io/pause:3.2 “/pause” 10 minutes ago Up 10 minutes k8s_POD_kube-apiserver-controlplane_kube-system_8e34c2152da21ce5f8effd4576c47ab9_2