Linux Foundation CKS Exam - Topic 1 Question 28 Discussion

Question

Linux Foundation CKS Exam - Topic 1 Question 28 Discussion

You can switch the cluster/configuration context using the following command:[desk@cli] $kubectl config use-context test-accountTask:Enable audit logs in the cluster.To do so, enable the log backend, and ensure that:1. logs are stored at/var/log/Kubernetes/logs.txt2. log files are retained for5days3. at maximum, a number of10old audit log files are retainedA basic policy is provided at/etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log.Note: The base policy is located on the cluster's master node.Edit and extend the basic policy to log:1.Nodeschanges atRequestResponselevel2. The request body ofpersistentvolumeschanges in the namespacefrontend3.ConfigMapandSecretchanges in all namespaces at theMetadatalevelAlso, add a catch-all rule to log all other requests at theMetadatalevelNote:Don't forget to apply the modified policy.

Accepted Answer

A) Explanation: $vim /etc/kubernetes/log-policy/audit-policy.yaml - level: RequestResponse userGroups: ['system:nodes'] - level: Request resources: - group: '' # core API group resources: ['persistentvolumes'] namespaces: ['frontend'] - level: Metadata resources: - group: '' resources: ['configmaps', 'secrets'] - level: Metadata $vim /etc/kubernetes/manifests/kube-apiserver.yaml Add these - --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml - --audit-log-path=/var/log/kubernetes/logs.txt - --audit-log-maxage=5 - --audit-log-maxbackup=10 Explanation [desk@cli] $ssh master1 [master1@cli] $vim /etc/kubernetes/log-policy/audit-policy.yaml apiVersion: audit.k8s.io/v1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages: - 'RequestReceived' rules: # Don't log watch requests by the 'system:kube-proxy' on endpoints or services - level: None users: ['system:kube-proxy'] verbs: ['watch'] resources: - group: '' # core API group resources: ['endpoints', 'services'] # Don't log authenticated requests to certain non-resource URL paths. - level: None userGroups: ['system:authenticated'] nonResourceURLs: - '/api*' # Wildcard matching. - '/version' # Add your changes below - level: RequestResponse userGroups: ['system:nodes'] # Block for nodes - level: Request resources: - group: '' # core API group resources: ['persistentvolumes'] # Block for persistentvolumes namespaces: ['frontend'] # Block for persistentvolumes of frontend ns - level: Metadata resources: - group: '' # core API group resources: ['configmaps', 'secrets'] # Block for configmaps & secrets - level: Metadata # Block for everything else [master1@cli] $vim /etc/kubernetes/manifests/kube-apiserver.yaml apiVersion: v1 kind: Pod metadata: annotations: kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443 labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-system spec: containers: - command: - kube-apiserver - --advertise-address=10.0.0.5 - --allow-privileged=true - --authorization-mode=Node,RBAC - --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this - --audit-log-path=/var/log/kubernetes/logs.txt #Add this - --audit-log-maxage=5 #Add this - --audit-log-maxbackup=10 #Add this ... output truncated Note: log volume & policy volume is already mounted invim /etc/kubernetes/manifests/kube-apiserver.yamlso no need to mount it. Reference:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ Note: log volume & policy volume is already mounted invim /etc/kubernetes/manifests/kube-apiserver.yamlso no need to mount it. Reference:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

Linux Foundation CKS Exam - Topic 1 Question 28 Discussion

Linux Foundation CKS Exam - Topic 1 Question 28 Discussion

Contribute your Thoughts:

Ammie

Noel

Charisse

James

Mitsue

Leslee

Sheridan

Sylvie

Lavonna

Lakeesha

Jillian