Chapter 6. Setting audit log levels for the Prometheus Adapter

1. Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:

   $ oc -n openshift-monitoring edit configmap cluster-monitoring-config

2. Add profile: in the k8sPrometheusAdapter/audit section under data/config.yaml:

   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: cluster-monitoring-config
     namespace: openshift-monitoring
   data:
     config.yaml: |
       k8sPrometheusAdapter:
         audit:
           profile: <audit_log_level> 1

   1

   The audit log level to apply to the Prometheus Adapter.

3. Set the audit log level by using one of the following values for the profile: parameter:

   • None: Do not log events.
   • Metadata: Log only the metadata for the request, such as user, timestamp, and so forth. Do not log the request text and the response text. Metadata is the default audit log level.
   • Request: Log only the metadata and the request text but not the response text. This option does not apply for non-resource requests.
   • RequestResponse: Log event metadata, request text, and response text. This option does not apply for non-resource requests.

4. Save the file to apply the changes. The pods for the Prometheus Adapter restart automatically when you apply the change.

   Warning

   When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted.

Verification

1. In the config map, under k8sPrometheusAdapter/audit/profile, set the log level to Request and save the file.

2. Confirm that the pods for the Prometheus Adapter are running. The following example lists the status of pods in the openshift-monitoring project:

   $ oc -n openshift-monitoring get pods

3. Confirm that the audit log level and audit log file path are correctly configured:

   $ oc -n openshift-monitoring get deploy prometheus-adapter -o yaml

   Example output

   ...
     - --audit-policy-file=/etc/audit/request-profile.yaml
     - --audit-log-path=/var/log/adapter/audit.log

4. Confirm that the correct log level has been applied in the prometheus-adapter deployment in the openshift-monitoring project:

   $ oc -n openshift-monitoring exec deploy/prometheus-adapter -c prometheus-adapter -- cat /etc/audit/request-profile.yaml

   Example output

   "apiVersion": "audit.k8s.io/v1"
   "kind": "Policy"
   "metadata":
     "name": "Request"
   "omitStages":
   - "RequestReceived"
   "rules":
   - "level": "Request"

   Note

   If you enter an unrecognized profile value for the Prometheus Adapter in the ConfigMap object, no changes are made to the Prometheus Adapter, and an error is logged by the Cluster Monitoring Operator.

5. Review the audit log for the Prometheus Adapter:

   $ oc -n openshift-monitoring exec -c <prometheus_adapter_pod_name> -- cat /var/log/adapter/audit.log