How can I change the kube-apiserver audit-policy.yaml on OpenShift?

10/26/2020

I'm currently trying to change the audit policy for the openshift-kube-apiserver pod to output more information that isn't set up by default, primarily getting the requestBody of all incoming requests. There is an option in the kube-apiserver to change the audit policy here: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/. However, I can't seem to find that option on OpenShift. I suspect it might be within the openshift-kube-apiserver-operator, but have hit a dead end. Does anyone else have experience with this problem and can provide some guidance? Thank you in advance.

-- Khang Lieu
kubernetes
openshift

1 Answer

10/27/2020

Unfortunately, at the moment OpenShift v4 does not allow you to custom audit policy. OpenShift v3 can custom it. But alternatively as of OCPv4.6 you can specify some predefined policies instead of your custom. Refer Configuring the node audit log policy for more details.

OpenShift Container Platform provides the following predefined audit policy profiles:

  • Default Logs only metadata for read and write requests; does not log request bodies. This is the default policy.

  • WriteRequestBodies In addition to logging metadata for all requests, logs request bodies for every write request to the API servers (create, update, patch).

  • AllRequestBodies In addition to logging metadata for all requests, logs request bodies for every read and write request to the API servers (get, list, create, update, patch).

You can change the audit policy as follows,

$ oc edit apiserver cluster
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
...
spec:
  audit:
    profile: WriteRequestBodies

After above changes, all kube-apiserver pods are going to restart through rolling update for taking effects.

-- Daein Park
Source: StackOverflow