Configure Kubernetes auditing and profiling

Available since MCC 2.24.3 (Cluster releases 15.0.2 and 14.0.2)

This section instructs you on how to enable and configure Kubernetes auditing and profiling options for MKE using the Cluster object of your MOSK managed or management cluster. These options enable auditing and profiling of MKE performance with specialized debugging endpoints.

Note

You can also enable audit_log_configuration using the MKE API with no MOSK overrides. However, if you enable the option using the Cluster object, use the same object to disable the option. Otherwise, if you disable the option using the MKE API, it will be overridden by MOSK and enabled again.

References:

To enable Kubernetes auditing and profiling for MKE:

  1. Open the Cluster object of your MOSK cluster for editing.

  2. In spec:providerSpec:value: section:

    1. Add or configure the audit configuration. For example:

      spec:
        ...
        providerSpec:
          value:
            ...
            audit:
              kubernetes:
                level: request
                includeInSupportDump: true
                apiServer:
                  enabled: true
                  maxAge: <uint>
                  maxBackup: <uint>
                  maxSize: <uint>
      

      You can configure the following parameters that are also defined in the MKE configuration file:

      Note

      The names of the corresponding MKE options are marked with [] in the below definitions.

      • level

        Defines the value of [audit_log_configuration]level. Valid values are request and metadata.

        Note

        For management clusters, the metadata value is set by default since Container Cloud 2.26.0 (Cluster release 16.1.0).

      • includeInSupportDump

        Defines the value of [audit_log_configuration]support_dump_include_audit_logs. Boolean.

      • apiServer:enabled

        Defines the value of [cluster_config]kube_api_server_auditing. Boolean. If set to true but with no level set, the [audit_log_configuration]level MKE option is set to metadata.

        Note

        For management clusters, this option is enabled by default since the Container Cloud 2.26.0 (Cluster release 16.1.0).

      • maxAge

        Available since Container Cloud 2.27.0 (Cluster releases 17.2.0 and 16.2.0). Defines the value of kube_api_server_audit_log_maxage. Integer. If not set, defaults to 30.

      • maxBackup

        Available since Container Cloud 2.27.0 (Cluster releases 17.2.0 and 16.2.0). Defines the value of kube_api_server_audit_log_maxbackup. Integer. If not set, defaults to 10.

      • maxSize

        Available since Container Cloud 2.27.0 (Cluster releases 17.2.0 and 16.2.0). Defines the value of kube_api_server_audit_log_maxsize. Integer. If not set, defaults to 10.

    2. Enable profiling:

      spec:
        ...
        providerSpec:
          value:
            ...
        profiling:
          enabled: true
      

      Enabling profiling automatically enables the following MKE configuration options:

      [cluster_config]kube_api_server_profiling_enabled
      [cluster_config]kube_controller_manager_profiling_enabled
      [cluster_config]kube_scheduler_profiling_enabled
      
  3. Since Container Cloud 2.26.4 (Cluster releases 17.1.4 and 16.1.4), manually enable audit log rotation in the MKE configuration file:

    Note

    Since Container Cloud 2.27.0 (Cluster releases 17.2.0 and 16.2.0), the below parameters are automatically enabled with default values along with the auditing feature. Therefore, skip this step.

    [cluster_config]
      kube_api_server_audit_log_maxage=30
      kube_api_server_audit_log_maxbackup=10
      kube_api_server_audit_log_maxsize=10
    

    For the configuration procedure, see MKE documentation: Configure an existing MKE cluster.

    While using this procedure, replace the command to upload the newly edited MKE configuration file with the following one:

    curl --silent --insecure -X PUT -H "X-UCP-Allow-Restricted-API: i-solemnly-swear-i-am-up-to-no-good" -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" --upload-file 'mke-config.toml' https://$MKE_HOST/api/ucp/config-toml
    
    • The value for the MKE_HOST variable has the <loadBalancerHost>:6443 format, where loadBalancerHost is the corresponding field in the cluster status.

    • The value for MKE_PASSWORD is taken from the ucp-admin-password-<clusterName> secret in the cluster namespace of the management cluster.

    • The value for MKE_USERNAME is always admin.