Configure Kubernetes auditing and profiling¶
Available since MCC 2.24.3 (Cluster releases 15.0.2 and 14.0.2)
This section instructs you on how to enable and configure Kubernetes auditing
and profiling options for MKE using the Cluster
object of your
MOSK managed or management cluster. These options enable
auditing and profiling of MKE performance with specialized debugging endpoints.
Note
You can also enable audit_log_configuration
using the MKE API
with no MOSK overrides. However, if you enable the option
using the Cluster
object, use the same object to disable the option.
Otherwise, if you disable the option using the MKE API, it will be
overridden by MOSK and enabled again.
References:
For MOSK overrides, see Container Cloud documentation: Reference Architecture: MKE options managed by Container Cloud
For configuration using the MKE API, see MKE documentation: Enable MKE audit logging
To enable Kubernetes auditing and profiling for MKE:
Open the
Cluster
object of your MOSK cluster for editing.In
spec:providerSpec:value:
section:Add or configure the
audit
configuration. For example:spec: ... providerSpec: value: ... audit: kubernetes: level: request includeInSupportDump: true apiServer: enabled: true maxAge: <uint> maxBackup: <uint> maxSize: <uint>
You can configure the following parameters that are also defined in the MKE configuration file:
Note
The names of the corresponding MKE options are marked with
[]
in the below definitions.level
Defines the value of
[audit_log_configuration]level
. Valid values arerequest
andmetadata
.Note
For management clusters, the
metadata
value is set by default since Container Cloud 2.26.0 (Cluster release 16.1.0).
includeInSupportDump
Defines the value of
[audit_log_configuration]support_dump_include_audit_logs
. Boolean.
apiServer:enabled
Defines the value of
[cluster_config]kube_api_server_auditing
. Boolean. If set totrue
but with nolevel
set, the[audit_log_configuration]level
MKE option is set tometadata
.Note
For management clusters, this option is enabled by default since the Container Cloud 2.26.0 (Cluster release 16.1.0).
maxAge
Available since Container Cloud 2.27.0 (Cluster releases 17.2.0 and 16.2.0). Defines the value of
kube_api_server_audit_log_maxage
. Integer. If not set, defaults to30
.
maxBackup
Available since Container Cloud 2.27.0 (Cluster releases 17.2.0 and 16.2.0). Defines the value of
kube_api_server_audit_log_maxbackup
. Integer. If not set, defaults to10
.
maxSize
Available since Container Cloud 2.27.0 (Cluster releases 17.2.0 and 16.2.0). Defines the value of
kube_api_server_audit_log_maxsize
. Integer. If not set, defaults to10
.
Enable profiling:
spec: ... providerSpec: value: ... profiling: enabled: true
Enabling profiling automatically enables the following MKE configuration options:
[cluster_config]kube_api_server_profiling_enabled [cluster_config]kube_controller_manager_profiling_enabled [cluster_config]kube_scheduler_profiling_enabled
Since Container Cloud 2.26.4 (Cluster releases 17.1.4 and 16.1.4), manually enable audit log rotation in the MKE configuration file:
Note
Since Container Cloud 2.27.0 (Cluster releases 17.2.0 and 16.2.0), the below parameters are automatically enabled with default values along with the auditing feature. Therefore, skip this step.
[cluster_config] kube_api_server_audit_log_maxage=30 kube_api_server_audit_log_maxbackup=10 kube_api_server_audit_log_maxsize=10
For the configuration procedure, see MKE documentation: Configure an existing MKE cluster.
While using this procedure, replace the command to upload the newly edited MKE configuration file with the following one:
curl --silent --insecure -X PUT -H "X-UCP-Allow-Restricted-API: i-solemnly-swear-i-am-up-to-no-good" -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" --upload-file 'mke-config.toml' https://$MKE_HOST/api/ucp/config-toml
The value for the
MKE_HOST
variable has the<loadBalancerHost>:6443
format, whereloadBalancerHost
is the corresponding field in the cluster status.The value for
MKE_PASSWORD
is taken from theucp-admin-password-<clusterName>
secret in the cluster namespace of the management cluster.The value for
MKE_USERNAME
is alwaysadmin
.
See also