Change OpenShiftApiserver Audit Settings with "audit-log-maxbackup" and "audit-log-maxsize" in OpenShift Container Platform 4

Solution Unverified - Updated -

Environment

  • Openshift Container Platform (OCP)
    • 4.6

Issue

  • How to change the OpenShiftApiserver Audit Settings in OpenShift Container Platform 4?
  • How to change the default settings of '10' maxlog and '100'Mib logsize for the OpenShiftApiserver.

Resolution

  • There is currently no supported way to change the audit-log-maxbackup and audit-log-maxsize for OpenShift Container Platform 4.
  • unsupportedConfigOverrides can be used to override the default configuration apiServerArguments by editing the OpenShiftAPIServer CRD using the following command:
# oc edit openshiftapiserver

apiVersion: operator.openshift.io/v1
kind: OpenShiftAPIServer
...
spec:
  unsupportedConfigOverrides:
    apiServerArguments:
      audit-log-maxbackup:
      - "5"
      audit-log-maxsize:
      - "200"

Please note that using unsupportedConfigOverrides is NOT supported by Red Hat and will block future OpenShift Container Platform Upgrades.

For KubeApiServer audit settings, please refer to Change KubeApiserver Audit Settings with "audit-log-maxbackup" and "audit-log-maxsize" in OpenShift Container Platform 4

Root Cause

  • The Operator for the OpenShift API Server does not allow changes to the default audit-log-maxbackup and audit-log-maxsize configuration.

Diagnostic Steps

The arguments of unsupportedConfigOverrides with audit-log-maxbackup and audit-log-maxsize will change the following openshiftapiserver config.yaml file.

After oc edit openshiftapiserver editing, the OpenShiftapiserver pod will be redeploying and applying to the new settings, it can be checked by the following command:

# oc -n openshift-apiserver get cm config -o jsonpath='{.data.config\.yaml}' | jq . | grep -A 20 apiServerArguments

  "apiServerArguments": {
    "audit-log-format": [
      "json"
    ],
    "audit-log-maxbackup": [
      "5"
    ],
    "audit-log-maxsize": [
      "200"
    ],
    "audit-log-path": [
      "/var/log/openshift-apiserver/audit.log"
    ],
    "audit-policy-file": [
      "/var/run/configmaps/audit/secure-oauth-storage-default.yaml"
    ],
    "shutdown-delay-duration": [
      "3s"
    ]
  },
  "apiVersion": "openshiftcontrolplane.config.openshift.io/v1",

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments