mirror of https://github.com/kubernetes/kops.git
Fix log rotation of apiserver audit logs
Fixed an oops I created in #2494 where log rotation does not function as expected. The kube-apiserver first has to rename the existing audit log prior to a new one being created. Renaming is not possible when the audit file is mounted directly as the host path. kube-apiserver will return a 'Device or resource busy' error when it tries to do so. So instead, we mount the directory of the path instead of the file itself. Also remove the creation of an empty audit log file as that is no longer necessary for Docker to mount a directory. "If an audit log file already exists, Kubernetes appends new audit logs to that file. Otherwise, Kubernetes creates an audit log file at the location you specified in audit-log-path. If the audit log file exceeds the size you specify in audit-log-maxsize, Kubernetes will rename the current log file by appending the current timestamp on the file name (before the file extension) and create a new audit log file. Kubernetes may delete old log files when creating a new log file; you can configure how many files are retained and how old they can be by specifying the audit-log-maxbackup and audit-log-maxage options." Source: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ Tested this on Kubernetes 1.6 and with an audit log path specified to be: /var/log/kube-apiserver-audit.log The kube-apiserver container has this mounted: /dev/xvda1 on /var/log type ext4 (rw,relatime,data=ordered)
This commit is contained in:
Otto Yiu
parent
9400be0834
commit
c22b3cc035
|
|
@ -73,21 +73,6 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
c.AddTask(t)
|
||||
}
|
||||
|
||||
auditLogPath := b.Cluster.Spec.KubeAPIServer.AuditLogPath
|
||||
if auditLogPath != nil {
|
||||
// Touch log file, so that docker doesn't create a directory instead
|
||||
{
|
||||
t := &nodetasks.File{
|
||||
Path: *auditLogPath,
|
||||
Contents: fi.NewStringResource(""),
|
||||
Type: nodetasks.FileType_File,
|
||||
Mode: s("0400"),
|
||||
IfNotExists: true,
|
||||
}
|
||||
c.AddTask(t)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
@ -200,7 +185,11 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
|
|||
|
||||
auditLogPath := b.Cluster.Spec.KubeAPIServer.AuditLogPath
|
||||
if auditLogPath != nil {
|
||||
addHostPathMapping(pod, container, "auditlogfile", *auditLogPath).ReadOnly = false
|
||||
// Mount the directory of the path instead, as kube-apiserver rotates the log by renaming the file.
|
||||
// Renaming is not possible when the file is mounted as the host path, and will return a
|
||||
// 'Device or resource busy' error
|
||||
auditLogPathDir := filepath.Dir(*auditLogPath)
|
||||
addHostPathMapping(pod, container, "auditlogpathdir", auditLogPathDir).ReadOnly = false
|
||||
}
|
||||
|
||||
pod.Spec.Containers = append(pod.Spec.Containers, *container)
|
||||
|
|
|
|||
Loading…
Reference in New Issue