Change OpenShiftApiserver Audit Settings with "audit-log-maxbackup" and "audit-log-maxsize" in OpenShift Container Platform 4
Environment
- Openshift Container Platform (OCP)
- 4.6
Issue
- How to change the OpenShiftApiserver Audit Settings in OpenShift Container Platform 4?
- How to change the default settings of '10' maxlog and '100'Mib logsize for the OpenShiftApiserver.
Resolution
- There is currently no supported way to change the
audit-log-maxbackup
andaudit-log-maxsize
for OpenShift Container Platform 4. unsupportedConfigOverrides
can be used to override the default configuration apiServerArguments by editing the OpenShiftAPIServer CRD using the following command:
# oc edit openshiftapiserver
apiVersion: operator.openshift.io/v1
kind: OpenShiftAPIServer
...
spec:
unsupportedConfigOverrides:
apiServerArguments:
audit-log-maxbackup:
- "5"
audit-log-maxsize:
- "200"
Please note that using unsupportedConfigOverrides
is NOT supported by Red Hat and will block future OpenShift Container Platform Upgrades.
For KubeApiServer audit settings, please refer to Change KubeApiserver Audit Settings with "audit-log-maxbackup" and "audit-log-maxsize" in OpenShift Container Platform 4
Root Cause
- The Operator for the OpenShift API Server does not allow changes to the default
audit-log-maxbackup
andaudit-log-maxsize
configuration.
Diagnostic Steps
The arguments of unsupportedConfigOverrides
with audit-log-maxbackup
and audit-log-maxsize
will change the following openshiftapiserver config.yaml
file.
After oc edit openshiftapiserver
editing, the OpenShiftapiserver pod will be redeploying and applying to the new settings, it can be checked by the following command:
# oc -n openshift-apiserver get cm config -o jsonpath='{.data.config\.yaml}' | jq . | grep -A 20 apiServerArguments
"apiServerArguments": {
"audit-log-format": [
"json"
],
"audit-log-maxbackup": [
"5"
],
"audit-log-maxsize": [
"200"
],
"audit-log-path": [
"/var/log/openshift-apiserver/audit.log"
],
"audit-policy-file": [
"/var/run/configmaps/audit/secure-oauth-storage-default.yaml"
],
"shutdown-delay-duration": [
"3s"
]
},
"apiVersion": "openshiftcontrolplane.config.openshift.io/v1",
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments