resource-auditing

module

v0.0.0-...-75b20ab Latest Latest Go to latest Published: Aug 12, 2021 License: Apache-2.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/antrea-io/resource-auditing

Links

Open Source Insights

README ¶

resource-auditing

Overview

This project provides an auditing system for network policy-related, Kubernetes resources and Antrea specific CRDs, that tracks creations, updates, and deletions of these resources, stored as YAML files backed by a Git repository. The system also comes with a CLI for querying and filtering the repository for changes based onfilters like date range or service account responsible for those changes, as well as a tagging and rollback feature for reverting the cluster state if the current cluster state is undesirable. A webUI service is linked to the repository, allowing for easy visualization of the entire history of resource configurations.

working-gif

Getting Started

Ensure kubectl is running correctly prior to getting started. A label is used to specify the node to run all audit services on. The nodeAffinity field is used to schedule the Pods to the correct Node(s) and uses Node labels to determine them. The label can be applied with:

kubectl label nodes <node-name> audit=target

Run the following command on the Node that was just labelled to create the directory the repository will be stored in:

mkdir -p /data/antrea-audit

Connect to the control Node and copy audit-policy.yaml and audit-config.yaml to /etc/kubernetes/addons. If this directory does not exist, create it with:

mkdir -p /etc/kubernetes/addons

Modify the kube-apiserver.yaml manifest by adding the following lines to the manifest:

  - command
    - kube-apiserver
    - --audit-policy-file=/etc/kubernetes/addons/audit-policy.yaml
    - --audit-webhook-config-file=/etc/kubernetes/addons/audit-config.yaml
...
    volumeMounts:
    - mountPath: /etc/kubernetes/addons/audit-policy.yaml
      name: audit-policy
      readOnly: true
    - mountPath: /etc/kubernetes/addons/audit-config.yaml
      name: audit-config
      readOnly: true
...
  volumes:
  - hostPath:
      path: /etc/kubernetes/addons/audit-policy.yaml
      type: File
    name: audit-policy
  - hostPath:
      path: /etc/kubernetes/addons/audit-config.yaml
      type: File
    name: audit-config

Exit the control Node. To deploy the most recent version of resource-auditing, use the checked in deployment yaml:

kubectl apply -f https://raw.githubusercontent.com/antrea-io/resource-auditing/tree/main/build/yamls

Contributing

The Antrea community welcomes new contributors. We are waiting for your PRs!

This project follows the CNCF Code of Conduct.
Check out Open Issues

Directories ¶

Path	Synopsis
cmd
cli
webhook
pkg
cli
gitops
types
webhook

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL