Configure Kubernetes auditing and profiling

Available since 2.24.3 (Cluster releases 15.0.2 and 14.0.2)

This section instructs you on how to enable and configure Kubernetes auditing and profiling options for MKE using the Cluster object of your Container Cloud managed or management cluster. These options enable auditing and profiling of MKE performance with specialized debugging endpoints.

Note

You can also enable audit_log_configuration using the MKE API with no Container Cloud overrides. However, if you enable the option using the Cluster object, use the same object to disable the option. Otherwise, if you disable the option using the MKE API, it will be overridden by Container Cloud and enabled again.

References:

• For Container Cloud overrides, see Reference Architecture: MKE options managed by Container Cloud

• For configuration using the MKE API, see MKE documentation: Enable MKE audit logging

To enable Kubernetes auditing and profiling for MKE:

1. Open the Cluster object of your Container Cloud cluster for editing.

2. In spec:providerSpec:value: section:

   1. Add or configure the audit configuration. For example:

      spec:
        ...
        providerSpec:
          value:
            ...
            audit:
              kubernetes:
                level: request
                includeInSupportDump: true
                apiServer:
                  enabled: true
                  maxAge: <uint>
                  maxBackup: <uint>
                  maxSize: <uint>
      

      You can configure the following parameters that are also defined in the MKE configuration file:

      Note

      The names of the corresponding MKE options are marked with [] in the below definitions.

      • level

        Defines the value of [audit_log_configuration]level. Valid values are request and metadata.

        Note

        For management clusters, the metadata value is set by default since the Cluster release 16.1.0.

      • includeInSupportDump

        Defines the value of [audit_log_configuration]support_dump_include_audit_logs. Boolean.

      • apiServer:enabled

        Defines the value of [cluster_config]kube_api_server_auditing. Boolean. If set to true but with no level set, the [audit_log_configuration]level MKE option is set to metadata.

        Note

        For management clusters, this option is enabled by default since the Cluster release 16.1.0.

      • maxAge

        Available since Cluster releases 17.2.0 and 16.2.0 (Container Cloud 2.27.0). Defines the value of kube_api_server_audit_log_maxage. Integer. If not set, defaults to 30.

      • maxBackup

        Available since Cluster releases 17.2.0 and 16.2.0 (Container Cloud 2.27.0). Defines the value of kube_api_server_audit_log_maxbackup. Integer. If not set, defaults to 10.

      • maxSize

        Available since Cluster releases 17.2.0 and 16.2.0 (Container Cloud 2.27.0). Defines the value of kube_api_server_audit_log_maxsize. Integer. If not set, defaults to 10.

   2. Enable profiling:

      spec:
        ...
        providerSpec:
          value:
            ...
        profiling:
          enabled: true
      

      Enabling profiling automatically enables the following MKE configuration options:

      [cluster_config]kube_api_server_profiling_enabled
      [cluster_config]kube_controller_manager_profiling_enabled
      [cluster_config]kube_scheduler_profiling_enabled
      

3. Since Cluster releases 17.1.4 and 16.1.4 (Container Cloud 2.26.4), manually enable audit log rotation in the MKE configuration file:

   Note

   Since Cluster releases 17.2.0 and 16.2.0 (Container Cloud 2.27.0), the below parameters are automatically enabled with default values along with the auditing feature. Therefore, skip this step.

   [cluster_config]
     kube_api_server_audit_log_maxage=30
     kube_api_server_audit_log_maxbackup=10
     kube_api_server_audit_log_maxsize=10
   

   For the configuration procedure, see MKE documentation: Configure an existing MKE cluster.

   While using this procedure, replace the command to upload the newly edited MKE configuration file with the following one:

   curl --silent --insecure -X PUT -H "X-UCP-Allow-Restricted-API: i-solemnly-swear-i-am-up-to-no-good" -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" --upload-file 'mke-config.toml' https://$MKE_HOST/api/ucp/config-toml
   

   • The value for the MKE_HOST variable has the <loadBalancerHost>:6443 format, where loadBalancerHost is the corresponding field in the cluster status.

   • The value for MKE_PASSWORD is taken from the ucp-admin-password-<clusterName> secret in the cluster namespace of the management cluster.

   • The value for MKE_USERNAME is always admin.

See also

Kubernetes documentation: Auditing