Add audit kubernetes

kubemarine/procedures/install.py

@@ -109,10 +109,15 @@ def system_install_audit(cluster):
     cluster.log.debug(group.call(audit.install))
 
 
-def system_prepare_audit(cluster):
+def system_prepare_audit_daemon(cluster):
     group = cluster.nodes['master'].include_group(cluster.nodes.get('worker')).get_new_nodes_or_self()
     cluster.log.debug(group.call(audit.apply_audit_rules))
 
+def system_prepare_audit_policy(cluster):
+    group = cluster.nodes['master'].include_group(cluster.nodes.get('worker')).get_new_nodes_or_self()
+    cluster.log.debug(group.call(audit.apply_audit_rules))
+    policy = open("audit-policy.yaml", "wa")
+    group.put(io.StringIO(policy), '/etc/kubernetes/manifests/kube-apiserver.yaml', sudo=True)
 
 def system_prepare_dns_hostname(cluster):
     with RemoteExecutor(cluster):
@@ -461,7 +466,8 @@ def overview(cluster):
             "sysctl": system_prepare_system_sysctl,
             "audit": {
                 "install": system_install_audit,
-                "configure": system_prepare_audit
+                "configure": system_prepare_audit_daemon,
+                "policy": system_prepare_audit_policy,
             }
         },
         "cri": {

kubemarine/resources/configurations/defaults.yaml

@@ -27,10 +27,13 @@ services:
       extraArgs:
         enable-admission-plugins: NodeRestriction
         profiling: "false"
-        audit-log-path: /var/log/audit.log
+        audit-log-path: /var/log/kubernetes/audit/audit.log
+        audit-policy-file: /etc/kubernetes/audit-policy.yaml
         audit-log-maxage: "30"
         audit-log-maxbackup: "10"
         audit-log-maxsize: "100"
+
+
     scheduler:
       extraArgs:
         profiling: "false"