2.1 KiB
| title | linkTitle | weight | date | description |
|---|---|---|---|---|
| Audit Policy | Audit Policy | 1 | 2019-11-19 | Enabling audit policy for minikube |
Overview
Auditing is not enabled in minikube by default. This tutorial shows how to provide an Audit Policy file to the minikube API server on startup.
Tutorial
minikube stop
mkdir -p ~/.minikube/files/etc/ssl/certs
cat <<EOF > ~/.minikube/files/etc/ssl/certs/audit-policy.yaml
# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
EOF
minikube start \
--extra-config=apiserver.audit-policy-file=/etc/ssl/certs/audit-policy.yaml \
--extra-config=apiserver.audit-log-path=-
kubectl logs kube-apiserver-minikube -n kube-system | grep audit.k8s.io/v1
The Audit Policy used in this tutorial is very minimal and quite verbose. As a next step you might want to finetune the audit-policy.yaml file. To get the changes applied you need to stop and start minikube. Restarting minikube triggers the [file sync mechanism]({{< ref "/docs/handbook/filesync.md" >}}) that copies the yaml file onto the minikube node and causes the API server to read the changed policy file.
Note: Currently there is no dedicated directory to store the audit-policy.yaml file in ~/.minikube/. Using the ~/.minikube/files/etc/ssl/certs directory is a workaround! This workaround works like this: By putting the file into a sub-directory of ~/.minikube/files/, the [file sync mechanism]({{< ref "/docs/handbook/filesync.md" >}}) gets triggered and copies the audit-policy.yaml file from the host onto the minikube node. When the API server container gets started by kubeadm I'll mount the /etc/ssl/certs directory from the minikube node into the container. This is the reason why the audit-policy.yaml file has to be stored in the ssl certs directory: It's one of the directories that get mounted from the minikube node into the container.