This project provides an auditing system for network policy-related, Kubernetes resources and Antrea specific CRDs, that tracks creations, updates, and deletions of these resources, stored as YAML files backed by a Git repository. The system also comes with a CLI for querying and filtering the repository for changes based onfilters like date range or service account responsible for those changes, as well as a tagging and rollback feature for reverting the cluster state if the current cluster state is undesirable. A webUI service is linked to the repository, allowing for easy visualization of the entire history of resource configurations.
Ensure kubectl is running correctly prior to getting started. A label is used
to specify the node to run all audit services on. The nodeAffinity field is
used to schedule the Pods to the correct Node(s) and uses Node labels to
determine them. The label can be applied with:
kubectl label nodes <node-name> audit=targetRun the following command on the Node that was just labelled to create the directory the repository will be stored in:
mkdir -p /data/antrea-auditConnect to the control Node and copy audit-policy.yaml and audit-config.yaml
to /etc/kubernetes/addons. If this directory does not exist, create it with:
mkdir -p /etc/kubernetes/addonsModify the kube-apiserver.yaml manifest by adding the following lines to the manifest:
- command
- kube-apiserver
- --audit-policy-file=/etc/kubernetes/addons/audit-policy.yaml
- --audit-webhook-config-file=/etc/kubernetes/addons/audit-config.yaml
...
volumeMounts:
- mountPath: /etc/kubernetes/addons/audit-policy.yaml
name: audit-policy
readOnly: true
- mountPath: /etc/kubernetes/addons/audit-config.yaml
name: audit-config
readOnly: true
...
volumes:
- hostPath:
path: /etc/kubernetes/addons/audit-policy.yaml
type: File
name: audit-policy
- hostPath:
path: /etc/kubernetes/addons/audit-config.yaml
type: File
name: audit-configExit the control Node. To deploy the most recent version of resource-auditing, use the checked in deployment yaml:
kubectl apply -f https://raw.githubusercontent.com/antrea-io/resource-auditing/tree/main/build/yamlsThe Antrea community welcomes new contributors. We are waiting for your PRs!
- This project follows the CNCF Code of Conduct.
- Check out Open Issues