Configure Kubernetes auditing and profiling¶
Available since 2.24.3 (Cluster releases 15.0.2 and 14.0.2)
This section instructs you on how to enable and configure Kubernetes auditing
and profiling options for MKE using the Cluster
object of your
Container Cloud managed or management cluster. These options enable auditing
and profiling of MKE performance with specialized debugging endpoints.
Note
You can also enable audit_log_configuration
using the MKE API
with no Container Cloud overrides.
However, if you enable the option using the Cluster
object, use the same
object to disable the option. Otherwise, if you disable the option using the
MKE API, it will be overridden by Container Cloud and enabled again.
References:
For Container Cloud overrides, see Reference Architecture: MKE options managed by Container Cloud
For configuration using the MKE API, see MKE documentation: Enable MKE audit logging
To enable Kubernetes auditing and profiling for MKE:
Open the
Cluster
object of your Container Cloud cluster for editing.In
spec:providerSpec:value:
section:Add or configure the
audit
configuration. For example:spec: ... providerSpec: value: ... audit: kubernetes: level: request includeInSupportDump: true apiServer: enabled: true maxAge: <uint> maxBackup: <uint> maxSize: <uint>
You can configure the following parameters that are also defined in the MKE configuration file:
Note
The names of the corresponding MKE options are marked with
[]
in the below definitions.level
Defines the value of
[audit_log_configuration]level
. Valid values arerequest
andmetadata
.Note
For management clusters, the
metadata
value is set by default since the Cluster release 16.1.0.
includeInSupportDump
Defines the value of
[audit_log_configuration]support_dump_include_audit_logs
. Boolean.
apiServer:enabled
Defines the value of
[cluster_config]kube_api_server_auditing
. Boolean. If set totrue
but with nolevel
set, the[audit_log_configuration]level
MKE option is set tometadata
.Note
For management clusters, this option is enabled by default since the Cluster release 16.1.0.
maxAge
Available since Cluster releases 17.2.0 and 16.2.0 (Container Cloud 2.27.0). Defines the value of
kube_api_server_audit_log_maxage
. Integer. If not set, defaults to30
.
maxBackup
Available since Cluster releases 17.2.0 and 16.2.0 (Container Cloud 2.27.0). Defines the value of
kube_api_server_audit_log_maxbackup
. Integer. If not set, defaults to10
.
maxSize
Available since Cluster releases 17.2.0 and 16.2.0 (Container Cloud 2.27.0). Defines the value of
kube_api_server_audit_log_maxsize
. Integer. If not set, defaults to10
.
Enable profiling:
spec: ... providerSpec: value: ... profiling: enabled: true
Enabling profiling automatically enables the following MKE configuration options:
[cluster_config]kube_api_server_profiling_enabled [cluster_config]kube_controller_manager_profiling_enabled [cluster_config]kube_scheduler_profiling_enabled
Since Cluster releases 17.1.4 and 16.1.4 (Container Cloud 2.26.4), manually enable audit log rotation in the MKE configuration file:
Note
Since Cluster releases 17.2.0 and 16.2.0 (Container Cloud 2.27.0), the below parameters are automatically enabled with default values along with the auditing feature. Therefore, skip this step.
[cluster_config] kube_api_server_audit_log_maxage=30 kube_api_server_audit_log_maxbackup=10 kube_api_server_audit_log_maxsize=10
For the configuration procedure, see MKE documentation: Configure an existing MKE cluster.
While using this procedure, replace the command to upload the newly edited MKE configuration file with the following one:
curl --silent --insecure -X PUT -H "X-UCP-Allow-Restricted-API: i-solemnly-swear-i-am-up-to-no-good" -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" --upload-file 'mke-config.toml' https://$MKE_HOST/api/ucp/config-toml
The value for the
MKE_HOST
variable has the<loadBalancerHost>:6443
format, whereloadBalancerHost
is the corresponding field in the cluster status.The value for
MKE_PASSWORD
is taken from theucp-admin-password-<clusterName>
secret in the cluster namespace of the management cluster.The value for
MKE_USERNAME
is alwaysadmin
.
See also