7.6.19. 高级审计

高级审计功能对基本审计功能进行了一些改进，包括精细的事件过滤和多个输出后端。

要启用高级审计功能，您可以创建一个审计策略文件，并在 openshift_master_audit_config 和 openshift_master_audit_policyfile 参数中指定以下值：

openshift_master_audit_config={"enabled": true, "auditFilePath": "/var/log/origin/audit-ocp.log", "maximumFileRetentionDays": 14, "maximumFileSizeMegabytes": 500, "maximumRetainedFiles": 5, "policyFile": "/etc/origin/master/adv-audit.yaml", "logFormat":"json"}
openshift_master_audit_policyfile="/<path>/adv-audit.yaml"

openshift_master_audit_config={"enabled": true, "auditFilePath": "/var/log/origin/audit-ocp.log", "maximumFileRetentionDays": 14, "maximumFileSizeMegabytes": 500, "maximumRetainedFiles": 5, "policyFile": "/etc/origin/master/adv-audit.yaml", "logFormat":"json"}
openshift_master_audit_policyfile="/<path>/adv-audit.yaml"

Copy to Clipboard

Toggle word wrap

重要

您必须在安装集群前创建 adv-audit.yaml 文件，并指定其在集群清单文件中的位置。

下表包含您可以使用的附加选项。

Expand

表 7.19. 高级审计配置参数
参数名称	描述
`policyFile`	定义审计策略配置的文件的路径。
`policyConfiguration`	嵌入式审计策略配置。
`logFormat`	指定保存的审计日志的格式。允许的值是 `legacy` （基本审计中使用的格式）和 `json`。
`webHookKubeConfig`	定义审计 Webhook 配置的 `.kubeconfig` 格式文件的路径，事件发送到其中。
`webHookMode`	指定发送审计事件的策略。允许的值是 `block` （块处理另一个事件，直到之前已完全处理）和 `batch` （以批处理的形式缓冲事件并交付）。

重要

要启用高级审计功能，您必须提供 policyFile 或 policyConfiguration 描述审计规则：

Audit 策略配置示例

apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:

  # Do not log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None 
    users: ["system:kube-proxy"] 
    verbs: ["watch"] 
    resources: 
    - group: ""
      resources: ["endpoints", "services"]

  # Do not log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"] 
    nonResourceURLs: 
    - "/api*" # Wildcard matching.
    - "/version"

  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    # This rule only applies to resources in the "kube-system" namespace.
    # The empty string "" can be used to select non-namespaced resources.
    namespaces: ["kube-system"] 

  # Log configmap and secret changes in all other namespaces at the metadata level.
  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["secrets", "configmaps"]

  # Log all other resources in core and extensions at the request level.
  - level: Request
    resources:
    - group: "" # core API group
    - group: "extensions" # Version of group should NOT be included.

  # A catch-all rule to log all other requests at the Metadata level.
  - level: Metadata 

  # Log login failures from the web console or CLI. Review the logs and refine your policies.
  - level: Metadata
    nonResourceURLs:
    - /login* 
    - /oauth*

apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:

  # Do not log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None


    users: ["system:kube-proxy"]


    verbs: ["watch"]


    resources:


    - group: ""
      resources: ["endpoints", "services"]

  # Do not log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"]


    nonResourceURLs:


    - "/api*" # Wildcard matching.
    - "/version"

  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    # This rule only applies to resources in the "kube-system" namespace.
    # The empty string "" can be used to select non-namespaced resources.
    namespaces: ["kube-system"]



  # Log configmap and secret changes in all other namespaces at the metadata level.
  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["secrets", "configmaps"]

  # Log all other resources in core and extensions at the request level.
  - level: Request
    resources:
    - group: "" # core API group
    - group: "extensions" # Version of group should NOT be included.

  # A catch-all rule to log all other requests at the Metadata level.
  - level: Metadata



  # Log login failures from the web console or CLI. Review the logs and refine your policies.
  - level: Metadata
    nonResourceURLs:
    - /login*


    - /oauth*

Copy to Clipboard

Toggle word wrap

1 8

每个事件都可以记录四个可能级别：

None - 不记录与此规则匹配的日志事件。
Metadata - 日志请求元数据（请求用户、时间戳、资源、操作等），但不请求或响应正文。这与基本审计中使用的级别相同。
Request - 日志记录事件元数据和请求正文，但不包括响应的正文。
RequestResponse - 日志记录事件元数据、请求和响应正文。

2

适用于规则的用户列表。一个空列表表示每个用户。

3

此规则应用到的操作动词列表。一个空列表表示每个动词。这是与 API 请求关联的 Kubernetes 动词（包括 get, list, watch, create, update, patch, delete, deletecollection, 和 proxy）。

4