Change KubeApiserver Audit Settings with "audit-log-maxbackup" and "audit-log-maxsize" in OpenShift Container Platform 4

Solution Unverified - Updated -

Environment

  • Openshift Container Platform (OCP)
    • 4.6

Issue

  • How to change the KubeApiserver Audit Settings in OpenShift Container Platform 4?
  • How to change the default settings of '10' maxlog and '100'Mib logsize for the KubeApiserver.

Resolution

  • There is currently no supported way to change the audit-log-maxbackup and audit-log-maxsize for OpenShift Container Platform 4.
  • unsupportedConfigOverrides can be used to override the default configuration apiServerArguments by editing the KubeAPIServer CRD using the following command:
# oc edit kubeapiserver
apiVersion: operator.openshift.io/v1
kind: KubeAPIServer
...
spec:
  unsupportedConfigOverrides:
    apiServerArguments:
      audit-log-maxbackup:
      - "5"
      audit-log-maxsize:
      - "200"

Please note that using unsupportedConfigOverrides is NOT supported by Red Hat and will block future OpenShift Container Platform Upgrades.

For OpenShiftApiServer audit settings, please refer to Change OpenShiftApiserver Audit Settings with "audit-log-maxbackup" and "audit-log-maxsize" in OpenShift Container Platform 4

Root Cause

  • The Operator for the Kube API Server does not allow changes to the default audit-log-maxbackup and audit-log-maxsize configuration.

Diagnostic Steps

After oc edit kubeapiserver editing, all the master kubeapiserver pods will be redeploying and applying to the new settings, it can be checked by the following command:

# oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
2 nodes are at revision 8; 1 nodes are at revision 10

The arguments of unsupportedConfigOverrides with audit-log-maxbackup and audit-log-maxsize will change the following kubeapiserver config.yaml file.

# oc -n openshift-kube-apiserver get cm config -o jsonpath='{.data.config\.yaml}' | jq . | grep -A 20 apiServerArguments
  "apiServerArguments": {
    "allow-privileged": [
      "true"
    ],
    "anonymous-auth": [
      "true"
    ],
    "api-audiences": [
      "https://kubernetes.default.svc"
    ],
    "audit-log-format": [
      "json"
    ],
    "audit-log-maxbackup": [
      "5"
    ],
    "audit-log-maxsize": [
      "200"
    ],
    "audit-log-path": [
      "/var/log/kube-apiserver/audit.log"

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments