Change KubeApiserver Audit Settings with "audit-log-maxbackup" and "audit-log-maxsize" in OpenShift Container Platform 4
Environment
- Openshift Container Platform (OCP)
- 4.6
Issue
- How to change the KubeApiserver Audit Settings in OpenShift Container Platform 4?
- How to change the default settings of '10' maxlog and '100'Mib logsize for the KubeApiserver.
Resolution
- There is currently no supported way to change the
audit-log-maxbackup
andaudit-log-maxsize
for OpenShift Container Platform 4. unsupportedConfigOverrides
can be used to override the default configuration apiServerArguments by editing the KubeAPIServer CRD using the following command:
# oc edit kubeapiserver
apiVersion: operator.openshift.io/v1
kind: KubeAPIServer
...
spec:
unsupportedConfigOverrides:
apiServerArguments:
audit-log-maxbackup:
- "5"
audit-log-maxsize:
- "200"
Please note that using unsupportedConfigOverrides
is NOT supported by Red Hat and will block future OpenShift Container Platform Upgrades.
For OpenShiftApiServer audit settings, please refer to Change OpenShiftApiserver Audit Settings with "audit-log-maxbackup" and "audit-log-maxsize" in OpenShift Container Platform 4
Root Cause
- The Operator for the Kube API Server does not allow changes to the default
audit-log-maxbackup
andaudit-log-maxsize
configuration.
Diagnostic Steps
After oc edit kubeapiserver
editing, all the master kubeapiserver pods will be redeploying and applying to the new settings, it can be checked by the following command:
# oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
2 nodes are at revision 8; 1 nodes are at revision 10
The arguments of unsupportedConfigOverrides
with audit-log-maxbackup
and audit-log-maxsize
will change the following kubeapiserver config.yaml
file.
# oc -n openshift-kube-apiserver get cm config -o jsonpath='{.data.config\.yaml}' | jq . | grep -A 20 apiServerArguments
"apiServerArguments": {
"allow-privileged": [
"true"
],
"anonymous-auth": [
"true"
],
"api-audiences": [
"https://kubernetes.default.svc"
],
"audit-log-format": [
"json"
],
"audit-log-maxbackup": [
"5"
],
"audit-log-maxsize": [
"200"
],
"audit-log-path": [
"/var/log/kube-apiserver/audit.log"
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments