Configure Kubernetes auditing and profiling

Available since Cluster releases 15.0.2 and 14.0.2 for managed clusters Available since Cluster release 16.1.0 for management clusters

This section instructs you on how to enable and configure Kubernetes auditing and profiling options for MKE using the Cluster object of your Container Cloud managed cluster. These options enable auditing and profiling of MKE performance with specialized debugging endpoints.

Note

You can also enable audit_log_configuration using the MKE API with no Container Cloud overrides. However, if you enable the option using the Cluster object, use the same object to disable the option. Otherwise, if you disable the option using the MKE API, it will be overridden by Container Cloud and enabled again.

References:

• For Container Cloud overrides, see Reference Architecture: MKE options managed by Container Cloud

• For configuration using the MKE API, see MKE documentation: Enable MKE audit logging

To enable Kubernetes auditing and profiling for MKE:

1. Open the Cluster object of your Container Cloud cluster for editing.

2. In spec:providerSpec:value: section:

   1. Add audit configuration. For example:

      spec:
        ...
        providerSpec:
          value:
            ...
            audit:
              kubernetes:
                level: request
                includeInSupportDump: true
                apiServer:
                  enabled: true
      

      You can configure the following parameters that are also defined in the MKE configuration file:

      Note

      The names of the corresponding MKE options are marked with [] in the below definitions.

      • level

        Defines the value of [audit_log_configuration]level. Valid values are request and metadata.

      • includeInSupportDump

        Defines the value of [audit_log_configuration]support_dump_include_audit_logs. Boolean.

      • apiServer:enabled

        Defines the value of [cluster_config]kube_api_server_auditing. Boolean. If set to true but with no level set, the [audit_log_configuration]level MKE option is set to metadata.

        Note

        For management clusters, this option is enabled by default since the Cluster release 16.1.0.

   2. Enable profiling:

      spec:
        ...
        providerSpec:
          value:
            ...
        profiling:
          enabled: true
      

      Enabling profiling automatically enables the following MKE configuration options:

      [cluster_config]kube_api_server_profiling_enabled
      [cluster_config]kube_controller_manager_profiling_enabled
      [cluster_config]kube_scheduler_profiling_enabled
      

See also

Kubernetes documentation: Auditing