红帽全球峰会4.7. 为 Prometheus Adapter 设置审计日志级别
在默认平台监控中,您可以为 Prometheus Adapter 配置审计日志级别。
先决条件
-
已安装 OpenShift CLI(
oc)。 -
您可以使用具有
cluster-admin集群角色的用户身份访问集群。 -
您已创建
cluster-monitoring-configConfigMap对象。
流程
您可以在默认 openshift-monitoring 项目中为 Prometheus Adapter 设置审计日志级别:
编辑
openshift-monitoring项目中的cluster-monitoring-configConfigMap对象:oc -n openshift-monitoring edit configmap cluster-monitoring-config
$ oc -n openshift-monitoring edit configmap cluster-monitoring-configCopy to Clipboard Copied! Toggle word wrap Toggle overflow 在
data/config.yaml下的k8sPrometheusAdapter/audit部分中添加profile:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- 应用到 Prometheus Adapter 的审计日志级别。
使用
profile:参数的以下值之一设置审计日志级别:-
None:不记录事件。 -
Metadata:仅记录请求的元数据,如用户、时间戳等。不要记录请求文本和响应文本。metadata是默认的审计日志级别。 -
Request:仅记录元数据和请求文本,而不记录响应文本。这个选项不适用于非资源请求。 -
RequestResponse:日志事件元数据、请求文本和响应文本。这个选项不适用于非资源请求。
-
- 保存文件以使改变生效。受新配置影响的 Pod 会自动重新部署。
验证
-
在配置映射的
k8sPrometheusAdapter/audit/profile下,将日志级别设置为Request并保存文件。 确认 Prometheus Adapter 的 pod 正在运行。以下示例列出了
openshift-monitoring项目中的 pod 状态:oc -n openshift-monitoring get pods
$ oc -n openshift-monitoring get podsCopy to Clipboard Copied! Toggle word wrap Toggle overflow 确认正确配置了审计日志级别和审计日志文件路径:
oc -n openshift-monitoring get deploy prometheus-adapter -o yaml
$ oc -n openshift-monitoring get deploy prometheus-adapter -o yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 输出示例
... - --audit-policy-file=/etc/audit/request-profile.yaml - --audit-log-path=/var/log/adapter/audit.log
... - --audit-policy-file=/etc/audit/request-profile.yaml - --audit-log-path=/var/log/adapter/audit.logCopy to Clipboard Copied! Toggle word wrap Toggle overflow 确认
openshift-monitoring项目中的prometheus-adapter部署中应用了正确的日志级别:oc -n openshift-monitoring exec deploy/prometheus-adapter -c prometheus-adapter -- cat /etc/audit/request-profile.yaml
$ oc -n openshift-monitoring exec deploy/prometheus-adapter -c prometheus-adapter -- cat /etc/audit/request-profile.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 输出示例
Copy to Clipboard Copied! Toggle word wrap Toggle overflow 注意如果您为
ConfigMap对象中的 Prometheus Adapter 输入了一个未识别的profile值,则不会对 Prometheus Adapter 进行任何更改,Cluster Monitoring Operator 会记录错误。查看 Prometheus Adapter 的审计日志:
oc -n openshift-monitoring exec -c <prometheus_adapter_pod_name> -- cat /var/log/adapter/audit.log
$ oc -n openshift-monitoring exec -c <prometheus_adapter_pod_name> -- cat /var/log/adapter/audit.logCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}