Ma hope a ma hope paha, i ka hana ʻana o kekahi ʻōnaehana, kū mai ka pilikia o ka palekana: hōʻoia i ka hōʻoia, ka hoʻokaʻawale ʻana i nā kuleana, ka loiloi a me nā hana ʻē aʻe. Ua hana ʻia no nā Kubernetes , ka mea e hiki ai iā ʻoe ke hoʻokō i ka hoʻokō ʻana i nā kūlana a hiki i nā wahi koʻikoʻi loa. ʻO ka mea mua, pono ia i ka poʻe e hoʻomaka ana e kamaʻāina me Kubernetes - ma ke ʻano he hoʻomaka no ke aʻo ʻana i nā pilikia pili i ka palekana.
Kalaukina
ʻElua ʻano mea hoʻohana ma Kubernetes:
- Nā moʻokāki lawelawe — nā moʻokāki i mālama ʻia e ka Kubernetes API;
- mea hoʻohana - nā mea hoʻohana "maʻamau" i mālama ʻia e nā lawelawe kūʻokoʻa kūʻokoʻa.
ʻO ka ʻokoʻa nui ma waena o kēia mau ʻano ʻo ia no nā moʻokāki lawelawe aia nā mea kūikawā ma ka Kubernetes API (ua kapa ʻia lākou - ServiceAccounts), i hoʻopaʻa ʻia i kahi inoa inoa a me kahi pūʻulu o ka ʻikepili ʻae i mālama ʻia i loko o ka pūʻulu i nā mea o ke ʻano Secrets. ʻO ia mau mea hoʻohana (Service Accounts) i manaʻo nui ʻia e hoʻokele i nā kuleana komo i ka Kubernetes API o nā kaʻina hana e holo ana ma ka pūʻulu Kubernetes.
ʻAʻohe mea hoʻokomo i nā mea hoʻohana maʻamau i ka Kubernetes API: pono lākou e mālama ʻia e nā ʻano hana waho. Hana ʻia lākou no nā kānaka a i ʻole nā kaʻina hana e noho ana ma waho o ka pūpū.
Hoʻopili ʻia kēlā me kēia noi API me kahi moʻokāki lawelawe, kahi mea hoʻohana, a i ʻole i manaʻo ʻia he inoa ʻole.
Aia ka ʻikepili hōʻoia mea hoʻohana:
- inoa mea hoʻohana — ka mea hoʻohana (ka hihia pili!);
- UID - he kaula ʻike mea hoʻohana hiki ke heluhelu ʻia i ka mīkini "ʻoi aku ka paʻa a kūʻokoʻa ma mua o ka inoa inoa";
- Groups - ka papa inoa o nā hui nona ka mea hoʻohana;
- Kiʻi - nā kahua ʻē aʻe i hiki ke hoʻohana ʻia e ka mīkini ʻae.
Hiki i nā Kubernetes ke hoʻohana i ka nui o nā mīkini hōʻoia: nā palapala hōʻoia X509, nā hōʻailona Bearer, ka mea koho hōʻoia, HTTP Basic Auth. Me ka hoʻohana ʻana i kēia mau hana, hiki iā ʻoe ke hoʻokō i kahi helu nui o nā manaʻo ʻae: mai kahi faila static me nā ʻōlelo huna i OpenID OAuth2.
Eia kekahi, hiki ke hoʻohana i kekahi mau papahana mana i ka manawa like. Ma ka paʻamau, hoʻohana ka pūʻulu:
- hōʻailona moʻokāki lawelawe - no nā moʻokāki lawelawe;
- X509 - no nā mea hoʻohana.
ʻO ka nīnau e pili ana i ka mālama ʻana i nā ServiceAccounts ma waho o ke kiko o kēia ʻatikala, akā no ka poʻe makemake e hoʻomaʻamaʻa iā lākou iho me kēia pilikia i nā kikoʻī hou aku, paipai wau e hoʻomaka me . E nānā pono mākou i ka pilikia o ka hana ʻana o nā palapala hōʻoia X509.
Nā palapala hōʻoia no nā mea hoʻohana (X.509)
ʻO ke ala maʻamau o ka hana ʻana me nā palapala hōʻoia e pili ana:
- hanau kī:
mkdir -p ~/mynewuser/.certs/ openssl genrsa -out ~/.certs/mynewuser.key 2048 - ka hana ʻana i kahi palapala noi:
openssl req -new -key ~/.certs/mynewuser.key -out ~/.certs/mynewuser.csr -subj "/CN=mynewuser/O=company" - ka hana ʻana i kahi noi palapala me ka hoʻohana ʻana i nā kī Kubernetes cluster CA, ka loaʻa ʻana o kahi palapala mea hoʻohana (no ka loaʻa ʻana o ka palapala hōʻoia, pono ʻoe e hoʻohana i kahi moʻokāki i loaʻa i ke kī Kubernetes cluster CA, aia ma ka paʻamau
/etc/kubernetes/pki/ca.key):openssl x509 -req -in ~/.certs/mynewuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ~/.certs/mynewuser.crt -days 500 - ka hana ʻana i kahi faila hoʻonohonoho:
- wehewehe puʻupuʻu (e wehewehe i ka helu wahi a me ka wahi o ka waihona palapala CA no kahi hoʻokomo pūʻulu kikoʻī):
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.200:6443 - a pehea olekoho ʻia - ʻaʻole pono ʻoe e kuhikuhi i ka palapala kumu (a laila ʻaʻole e nānā ʻo kubectl i ka pololei o ka api-server o ka cluster):
kubectl config set-cluster kubernetes --insecure-skip-tls-verify=true --server=https://192.168.100.200:6443 - hoʻohui i kahi mea hoʻohana i ka faila hoʻonohonoho:
kubectl config set-credentials mynewuser --client-certificate=.certs/mynewuser.crt --client-key=.certs/mynewuser.key - hoʻohui i ka pōʻaiapili:
kubectl config set-context mynewuser-context --cluster=kubernetes --namespace=target-namespace --user=mynewuser - ka hoʻohana pōʻaiapili paʻamau:
kubectl config use-context mynewuser-context
- wehewehe puʻupuʻu (e wehewehe i ka helu wahi a me ka wahi o ka waihona palapala CA no kahi hoʻokomo pūʻulu kikoʻī):
Ma hope o nā manipulations i luna, i ka faila .kube/config E hana ʻia kahi config e like me kēia:
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://192.168.100.200:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: target-namespace
user: mynewuser
name: mynewuser-context
current-context: mynewuser-context
kind: Config
preferences: {}
users:
- name: mynewuser
user:
client-certificate: /home/mynewuser/.certs/mynewuser.crt
client-key: /home/mynewuser/.certs/mynewuser.keyI mea e maʻalahi ai ka hoʻololi ʻana i ka config ma waena o nā moʻokāki a me nā kikowaena, pono e hoʻoponopono i nā waiwai o nā kī aʻe:
-
certificate-authority -
client-certificate -
client-key
No ka hana ʻana i kēia, hiki iā ʻoe ke hoʻopili i nā faila i kuhikuhi ʻia i loko o lākou me ka hoʻohana ʻana i base64 a hoʻopaʻa inoa iā lākou i ka config, e hoʻohui i ka suffix i ka inoa o nā kī. -data, i.e. ka loaa ana certificate-authority-data a pela like.
Nā palapala hōʻoia me kubeadm
Me ka hoʻokuʻu ʻO ka hana ʻana me nā palapala hōʻoia ua lilo i mea maʻalahi loa i ka mana alpha o kāna kākoʻo ma . No ka laʻana, ʻo ia ke ʻano o ka hana ʻana i kahi faila hoʻonohonoho me nā kī mea hoʻohana e like me kēia:
kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200
NB: Pono hoʻolaha helu wahi hiki ke loaʻa i loko o ka api-server config, aia ma ka paʻamau /etc/kubernetes/manifests/kube-apiserver.yaml.
ʻO ka hopena config e hoʻopuka ʻia i stdout. Pono e mālama ʻia i loko ~/.kube/config moʻokāki mea hoʻohana a i ʻole i kahi faila i hōʻike ʻia i loko o kahi loli kaiapuni KUBECONFIG.
Eli Hohonu
No ka poʻe makemake e hoʻomaopopo i nā pilikia i wehewehe ʻia:
- ma ka hana ʻana me nā palapala hōʻoia ma ka palapala Kubernetes kūhelu;
- , kahi e hoʻopuka ʻia ai nā palapala hōʻoia mai kahi hiʻohiʻona kūpono.
- ma ka hōʻoia ʻana ma Kubernetes.
ʻO kaʻaeʻana
ʻAʻohe kuleana o ka moʻokāki i ʻae ʻia e hana ma ka pūʻulu. No ka hāʻawi ʻana i nā ʻae, hoʻokō ʻo Kubernetes i kahi hana ʻae.
Ma mua o ka mana 1.6, ua hoʻohana ʻo Kubernetes i kahi ʻano mana i kapa ʻia ABAKA (Ka hoʻomalu komo ma muli o ke ʻano). Hiki ke loaʻa nā kikoʻī e pili ana iā ia ma . Ke manaʻo ʻia nei kēia ala he hoʻoilina, akā hiki iā ʻoe ke hoʻohana pū me nā ʻano hōʻoia ʻē aʻe.
Ua kapa ʻia ke ala o kēia manawa (a ʻoi aku ka maʻalahi) o ka puʻunaue ʻana i nā kuleana komo i kahi hui RBAC (). Ua hōʻike ʻia ʻo ia i kūpaʻa mai ka mana . Hoʻokō ʻo RBAC i kahi kumu hoʻohālike pono e pāpā ʻia ai nā mea a pau i ʻae ʻole ʻia.
E hiki ai iā RBAC, pono ʻoe e hoʻomaka i ka Kubernetes api-server me ka palena --authorization-mode=RBAC. Hoʻonohonoho ʻia nā ʻāpana i ka hōʻike me ka hoʻonohonoho ʻana i ka api-server, aia ma ke ala ma ke ala /etc/kubernetes/manifests/kube-apiserver.yaml, ma ka pauku command. Eia naʻe, ua hoʻohana ʻia ʻo RBAC ma ke ʻano maʻamau, no laila ʻaʻole pono ʻoe e hopohopo e pili ana iā ia: hiki iā ʻoe ke hōʻoia i kēia ma ka waiwai. authorization-mode (ma ka ʻōlelo i ʻōlelo ʻia kube-apiserver.yaml). Ma ke ala, ma waena o kāna mau manaʻo aia paha nā ʻano ʻae ʻē aʻe (node, webhook, always allow), akā e haʻalele mākou i kā lākou noʻonoʻo ma waho o ke ʻano o ka mea.
Ma ke ala, ua paʻi mua mākou me ka wehewehe kiko'ī o nā loina a me nā hiʻohiʻona o ka hana pū me RBAC, no laila e kaupalena au iaʻu iho i kahi papa inoa pōkole o nā kumu a me nā laʻana.
Hoʻohana ʻia nā hui API e hoʻomalu i ke komo ʻana ma Kubernetes ma o RBAC:
-
RoleиClusterRole- nā kuleana e wehewehe i nā kuleana komo: -
Rolehiki iā ʻoe ke wehewehe i nā kuleana i loko o kahi inoa; -
ClusterRole- i loko o ka pūʻulu, me nā mea kikoʻī puʻupuʻu e like me nā nodes, nā url kumu waiwai ʻole (ʻo ia hoʻi, ʻaʻole pili i nā kumu Kubernetes - no ka laʻana,/version,/logs,/api*); -
RoleBindingиClusterRoleBinding- hoʻohana ʻia no ka hoʻopaʻa ʻanaRoleиClusterRolei kahi mea hoʻohana, hui mea hoʻohana a ServiceAccount.
Ua kaupalena ʻia nā hui Role a me RoleBinding e ka inoa inoa, ʻo ia hoʻi. pono i loko o ka inoa inoa like. Eia naʻe, hiki i kahi RoleBinding ke kuhikuhi i kahi ClusterRole, kahi e hiki ai iā ʻoe ke hana i kahi pūʻulu o nā ʻae maʻamau a me ka hoʻokele i ka hoʻohana ʻana iā lākou.
Hōʻike nā kuleana i nā kuleana me ka hoʻohana ʻana i nā pūʻulu o nā lula i loaʻa:
- Nā hui API - ʻike e nā apiGroups a me ka puka
kubectl api-resources; - kumu waiwai (Nā kumu waiwai:
pod,namespace,deploymentetc.); - Hua'ōlelo (ʻōpala:
set,updatea laila.). - nā inoa waiwai (
resourceNames) - no ka hihia inā pono ʻoe e hāʻawi i ke komo i kahi kumuwaiwai kikoʻī, ʻaʻole i nā kumuwaiwai āpau o kēia ʻano.
Hiki ke ʻike ʻia kahi ʻike kikoʻī o ka ʻae ʻia ma Kubernetes ma ka ʻaoʻao . Ma kahi (a i ʻole, ma kahi o kēia), e hāʻawi wau i nā hiʻohiʻona e hōʻike ana i kāna hana.
Nā laʻana o nā hui RBAC
Māmā Role, hiki iā ʻoe ke kiʻi i kahi papa inoa a me ke kūlana o nā pods a nānā iā lākou ma ka inoa inoa target-namespace:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: target-namespace
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
Pākuhi: ClusterRole, hiki iā ʻoe ke kiʻi i kahi papa inoa a me ke kūlana o nā pods a nānā iā lākou a puni ka pūʻulu:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# секции "namespace" нет, так как ClusterRole задействует весь кластер
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
Pākuhi: RoleBinding, hiki i ka mea hoʻohana mynewuser "heluhelu" pods ma ka inoa inoa my-namespace:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: target-namespace
subjects:
- kind: User
name: mynewuser # имя пользователя зависимо от регистра!
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role # здесь должно быть “Role” или “ClusterRole”
name: pod-reader # имя Role, что находится в том же namespace,
# или имя ClusterRole, использование которой
# хотим разрешить пользователю
apiGroup: rbac.authorization.k8s.ioHooia hanana
Ma keʻano maʻamau, hiki ke hōʻike ʻia ka hoʻolālā Kubernetes penei:
ʻO ka mea nui Kubernetes kuleana no ka hoʻoponopono ʻana i nā noi api-server. ʻO nā hana a pau ma ka hui e hele ma ia. Hiki iā ʻoe ke heluhelu hou aʻe e pili ana i kēia mau mīkini kūloko ma ka ʻatikala "".
He hiʻohiʻona hoihoi ka nānā ʻana i ka ʻōnaehana ma Kubernetes, kahi i pio ʻole ma ka paʻamau. Hiki iā ʻoe ke hoʻopaʻa inoa i nā kelepona āpau i ka Kubernetes API. E like me kāu e koho ai, hana ʻia nā hana āpau e pili ana i ka nānā ʻana a me ka hoʻololi ʻana i ke kūlana o ka pūʻulu ma o kēia API. Hiki ke ʻike ʻia kahi wehewehe maikaʻi o kona hiki (e like me ka mea maʻamau). K8s. A laila, e hoʻāʻo wau e hōʻike i ke kumuhana ma ka ʻōlelo maʻalahi.
A pēlā, e hiki ai ke hooia, pono mākou e hāʻawi i ʻekolu mau ʻāpana i makemake ʻia i ka ipu i loko o ka api-server, i wehewehe ʻia ma lalo nei.
-
--audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml -
--audit-log-path=/var/log/kube-audit/audit.log -
--audit-log-format=json
Ma waho aʻe o kēia mau ʻāpana pono ʻekolu, nui nā hoʻonohonoho hou e pili ana i ka loiloi: mai ka hoʻololi ʻana i ka log a hiki i nā wehewehe ʻana i ka webhook. Laʻana o nā ʻāpana hoʻololi log:
-
--audit-log-maxbackup=10 -
--audit-log-maxsize=100 -
--audit-log-maxage=7
Akā ʻaʻole mākou e noʻonoʻo hou iā lākou - hiki iā ʻoe ke ʻike i nā kikoʻī āpau .
E like me ka mea i haʻi mua ʻia, ua hoʻonohonoho ʻia nā ʻāpana āpau i ka hōʻike me ka hoʻonohonoho hoʻonohonoho api-server (ma ka default /etc/kubernetes/manifests/kube-apiserver.yaml), ma ka pauku command. E hoʻi kāua i nā ʻāpana koi 3 a nānā iā lākou:
-
audit-policy-file- ala i ka faila YAML e wehewehe ana i ke kulekele loiloi. E hoʻi mākou i kāna mau mea ma hope, akā i kēia manawa e hoʻomaopopo wau he pono ke heluhelu ʻia ka faila e ke kaʻina hana api-server. No laila, pono e kau i loko o ka pahu, kahi e hiki ai iā ʻoe ke hoʻohui i kēia code i nā ʻāpana kūpono o ka config:volumeMounts: - mountPath: /etc/kubernetes/policies name: policies readOnly: true volumes: - hostPath: path: /etc/kubernetes/policies type: DirectoryOrCreate name: policies -
audit-log-path— ala i ka waihona waihona. Pono e hiki ke ala i ke kaʻina hana api-server, no laila e wehewehe mākou i kona kau ʻana ma ke ʻano like:volumeMounts: - mountPath: /var/log/kube-audit name: logs readOnly: false volumes: - hostPath: path: /var/log/kube-audit type: DirectoryOrCreate name: logs -
audit-log-format— ke ano o ka mooolelo hooia. ʻO ka paʻamaujson, akā loaʻa pū ke ʻano kikokikona hoʻoilina (legacy).
Kulekele Hooia
I kēia manawa e pili ana i ka faila i ʻōlelo ʻia e wehewehe ana i ke kulekele logging. ʻO ka manaʻo mua o ke kulekele loiloi level, pae logging. Penei lakou:
-
None- mai kākau inoa; -
Metadata— log noi metadata: mea hoʻohana, manawa noi, kumu waiwai (pod, namespace, etc.), ʻano hana (verb), etc.; -
Request- hoʻopaʻa inoa metadata a noi i ke kino; -
RequestResponse- log metadata, kino noi a me ke kino pane.
ʻO nā pae hope ʻelua (Request и RequestResponse) ʻaʻole e hoʻopaʻa inoa i nā noi i komo ʻole i nā kumu waiwai (hiki i nā mea i kapa ʻia ʻo non-resources urls).
Hele pū nā noi a pau mau pae:
-
RequestReceived- ke kahua i loaʻa ai ka noi e ka mea hana a ʻaʻole i hoʻouna hou ʻia ma ke kaulahao o nā mea hana; -
ResponseStarted- hoʻouna ʻia nā pane pane, akā ma mua o ka hoʻouna ʻia ʻana o ke kino pane. Hana ʻia no nā nīnau lōʻihi (no ka laʻana,watch); -
ResponseComplete- ua hoʻouna ʻia ke kino pane, ʻaʻohe ʻike hou e hoʻouna ʻia; -
Panic- Hoʻokumu ʻia nā hanana ke ʻike ʻia kahi kūlana ʻino.
No ka lele ʻana i nā ʻanuʻu āu e hoʻohana ai omitStages.
I loko o kahi waihona kulekele, hiki iā mākou ke wehewehe i kekahi mau ʻāpana me nā pae logging ʻokoʻa. E hoʻohana ʻia ka lula pili mua i loaʻa ma ka wehewehe kulekele.
Mālama ka kubelet daemon i nā loli i ka hōʻike me ka hoʻonohonoho ʻana i ka api-server a, inā ʻike ʻia kekahi, e hoʻomaka hou i ka ipu me ka api-server. Akā aia kekahi kikoʻī koʻikoʻi: e nānā ʻole ʻia nā hoʻololi i ka faila kulekele. Ma hope o ka hoʻololi ʻana i ka faila kulekele, pono ʻoe e hoʻomaka hou i ka api-server me ka lima. No ka mea, ua hoʻomaka ʻia ʻo api-server , hui kubectl delete ʻaʻole ia e hoʻomaka hou. Pono ʻoe e hana me ka lima docker stop ma kube-masters, kahi i hoʻololi ʻia ai ke kulekele loiloi:
docker stop $(docker ps | grep k8s_kube-apiserver | awk '{print $1}')I ka hiki ʻana i ka loiloi, pono e hoʻomanaʻo i kēlā piʻi ka ukana ma ka kube-apiserver. ʻO ka mea nui, hoʻonui ka hoʻohana ʻana i ka hoʻomanaʻo no ka mālama ʻana i ka pōʻaiapili noi. Hoʻomaka ka hoʻopaʻa inoa ma hope o ka hoʻouna ʻia ʻana o ke poʻo pane. Hoʻopili pū ka ukana i ka hoʻonohonoho kulekele loiloi.
Nā laʻana o nā kulekele
E nānā kākou i ke ʻano o nā faila kulekele me ka hoʻohana ʻana i nā laʻana.
Eia kahi faila maʻalahi policye hoʻopaʻa inoa i nā mea a pau ma ka pae Metadata:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
Ma ke kulekele hiki iā ʻoe ke kuhikuhi i kahi papa inoa o nā mea hoʻohana (Users и ServiceAccounts) a me nā hui mea hoʻohana. No ka laʻana, penei mākou e haʻalele ai i nā mea hoʻohana pūnaewele, akā e hoʻopaʻa inoa i nā mea āpau ma ka pae Request:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: None
userGroups:
- "system:serviceaccounts"
- "system:nodes"
users:
- "system:anonymous"
- "system:apiserver"
- "system:kube-controller-manager"
- "system:kube-scheduler"
- level: RequestHiki ke wehewehe i nā pahuhopu:
- nā papa inoa (
namespaces); - Hua'ōlelo (ʻōpala:
get,update,deletea me nā mea ʻē aʻe); - kumu waiwai (Nā kumu waiwai, ʻo ia hoʻi:
pod,configmapsetc.) a me nā hui waiwai (apiGroups).
E hoʻolohe. Hiki ke loaʻa nā kumuwaiwai a me nā pūʻulu waiwai (nā pūʻulu API, ʻo ia hoʻi, apiGroups), a me kā lākou mau mana i hoʻokomo ʻia i ka pūʻulu, me ka hoʻohana ʻana i nā kauoha:
kubectl api-resources
kubectl api-versionsHāʻawi ʻia kēia kulekele loiloi ma ke ʻano he hōʻike o nā hana maikaʻi loa ma :
apiVersion: audit.k8s.io/v1beta1
kind: Policy
# Не логировать стадию RequestReceived
omitStages:
- "RequestReceived"
rules:
# Не логировать события, считающиеся малозначительными и не опасными:
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # это api group с пустым именем, к которому относятся
# базовые ресурсы Kubernetes, называемые “core”
resources: ["endpoints", "services"]
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["configmaps"]
- level: None
users: ["kubelet"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
users:
- system:kube-controller-manager
- system:kube-scheduler
- system:serviceaccount:kube-system:endpoint-controller
verbs: ["get", "update"]
namespaces: ["kube-system"]
resources:
- group: "" # core
resources: ["endpoints"]
- level: None
users: ["system:apiserver"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["namespaces"]
# Не логировать обращения к read-only URLs:
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
# Не логировать сообщения, относящиеся к типу ресурсов “события”:
- level: None
resources:
- group: "" # core
resources: ["events"]
# Ресурсы типа Secret, ConfigMap и TokenReview могут содержать секретные данные,
# поэтому логируем только метаданные связанных с ними запросов
- level: Metadata
resources:
- group: "" # core
resources: ["secrets", "configmaps"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
# Действия типа get, list и watch могут быть ресурсоёмкими; не логируем их
- level: Request
verbs: ["get", "list", "watch"]
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Уровень логирования по умолчанию для стандартных ресурсов API
- level: RequestResponse
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Уровень логирования по умолчанию для всех остальных запросов
- level: MetadataʻO kekahi hiʻohiʻona maikaʻi o ke kulekele loiloi .
No ka pane koke i nā hanana loiloi, hiki wehewehe webhook. Hoʻopili ʻia kēia pilikia ma , E waiho wau ma waho o ke kiko o kēia ʻatikala.
Nā hopena
Hāʻawi ka ʻatikala i kahi hiʻohiʻona o nā mīkini palekana kumu ma nā pūʻulu Kubernetes, e ʻae iā ʻoe e hana i nā moʻokāki mea hoʻohana pilikino, hoʻokaʻawale i kā lākou kuleana, a hoʻopaʻa i kā lākou hana. Manaʻo wau he mea pono ia i ka poʻe e kū nei i ia mau pilikia ma ke kumumanaʻo a i ʻole ka hana. Manaʻo wau e heluhelu ʻoe i ka papa inoa o nā mea ʻē aʻe e pili ana i ke kumuhana o ka palekana ma Kubernetes, i hāʻawi ʻia ma "PS" - aia paha ma waena o lākou e ʻike ʻoe i nā kikoʻī kūpono e pili ana i nā pilikia pili iā ʻoe.
PS
E heluhelu pū ma kā mākou blog:
- «";
- «";
- «";
- «";
- «".
Source: www.habr.com