Expose kube-apiserver audit log to host volume

This commit exposes kube-apiserver's audit log to the host as a host mapping. PR #1872 gave the ability to users to define a custom log path for the apiserver to write its audit logs to. Prior to this commit, the log file would stay within the container's filesystem, and getting access to it from outside the container was a nuisance. This change allows a logging aggregator, like fluentd, to be able to read and tail this log from outside the kube-apiserver container.
2017-05-04 15:12:24 -07:00 · 2017-05-04 15:12:24 -07:00 · 71d7be772a
parent ddc638fb86
commit 71d7be772a
1 changed files with 20 additions and 0 deletions
--- a/nodeup/pkg/model/kubeapiserver.go
+++ b/nodeup/pkg/model/kubeapiserver.go
@ -73,6 +73,21 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
 		c.AddTask(t)
 	}

+	auditLogPath := b.Cluster.Spec.KubeAPIServer.AuditLogPath
+	if auditLogPath != nil {
+		// Touch log file, so that docker doesn't create a directory instead
+		{
+			t := &nodetasks.File{
+				Path:        *auditLogPath,
+				Contents:    fi.NewStringResource(""),
+				Type:        nodetasks.FileType_File,
+				Mode:        s("0400"),
+				IfNotExists: true,
+			}
+			c.AddTask(t)
+		}
+	}
+
 	return nil
 }

@ -183,6 +198,11 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {

 	addHostPathMapping(pod, container, "logfile", "/var/log/kube-apiserver.log").ReadOnly = false

+	auditLogPath := b.Cluster.Spec.KubeAPIServer.AuditLogPath
+	if auditLogPath != nil {
+		addHostPathMapping(pod, container, "auditlogfile", *auditLogPath).ReadOnly = false
+	}
+
 	pod.Spec.Containers = append(pod.Spec.Containers, *container)

 	return pod, nil