Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!
Now, the MOSK documentation set covers all product layers, including MOSK management (formerly Container Cloud). This means everything you need is in one place. Some legacy names may remain in the code and documentation and will be updated in future releases. The separate Container Cloud documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.
Configure Kubernetes auditing and profiling¶
This section instructs you on how to configure Kubernetes auditing and
profiling options for MKE using the Cluster object of your
MOSK or management cluster. These options enable auditing
and profiling of MKE performance with specialized debugging endpoints.
Note
For management clusters, auditing is enabled by default.
Note
You can also enable audit_log_configuration using the MKE API
with no MOSK overrides. However, if you enable the option
using the Cluster object, use the same object to disable the option.
Otherwise, if you disable the option using the MKE API, it will be
overridden by MOSK and enabled again.
References:
For MOSK overrides, see Reference Architecture: MKE options managed by MOSK
For configuration using the MKE API, see MKE documentation: Enable MKE audit logging
To configure Kubernetes auditing and profiling for MKE:
Open the
Clusterobject of your MOSK or management cluster for editing.In
spec:providerSpec:value:section:Add or configure the
auditconfiguration. For example:spec: ... providerSpec: value: ... audit: kubernetes: level: request includeInSupportDump: true apiServer: enabled: true maxAge: <uint> maxBackup: <uint> maxSize: <uint>
You can configure the following parameters that are also defined in the MKE configuration file:
Note
The names of the corresponding MKE options are marked with
[]in the below definitions.levelDefines the value of
[audit_log_configuration]level. Valid values arerequestandmetadata.Note
For management clusters, the
metadatavalue is set by default.
includeInSupportDumpDefines the value of
[audit_log_configuration]support_dump_include_audit_logs. Boolean.
apiServer:enabledDefines the value of
[cluster_config]kube_api_server_auditing. Boolean. If set totruebut with nolevelset, the[audit_log_configuration]levelMKE option is set tometadata.Note
For management clusters, this option is enabled by default.
maxAgeDefines the value of
kube_api_server_audit_log_maxage. Integer. If not set, defaults to30.
maxBackupDefines the value of
kube_api_server_audit_log_maxbackup. Integer. If not set, defaults to10.
maxSizeDefines the value of
kube_api_server_audit_log_maxsize. Integer. If not set, defaults to10.
Enable profiling:
spec: ... providerSpec: value: ... profiling: enabled: true
Enabling profiling automatically enables the following MKE configuration options:
[cluster_config]kube_api_server_profiling_enabled [cluster_config]kube_controller_manager_profiling_enabled [cluster_config]kube_scheduler_profiling_enabled
For the configuration procedure, see MKE documentation: Configure an existing MKE cluster.
While using this procedure, replace the command to upload the newly edited MKE configuration file with the following one:
curl --silent --insecure -X PUT -H "X-UCP-Allow-Restricted-API: i-solemnly-swear-i-am-up-to-no-good" -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" --upload-file 'mke-config.toml' https://$MKE_HOST/api/ucp/config-toml
The value for the
MKE_HOSTvariable has the<loadBalancerHost>:6443format, whereloadBalancerHostis the corresponding field in the cluster status.The value for
MKE_PASSWORDis taken from theucp-admin-password-<clusterName>secret in the cluster namespace of the management cluster.The value for
MKE_USERNAMEis alwaysadmin.
See also