Fix audit-policies deployment

2020-07-30 18:31:04 +02:00 · 2020-07-30 18:31:04 +02:00 · 743684edd4
commit 743684edd4
parent 0c49098177
3 changed files with 12 additions and 4 deletions
--- a/files/etc/kubernetes/policies/audit-policy.yaml
+++ b/files/etc/kubernetes/policies/audit-policy.yaml
--- a/tasks/install_server.yml
+++ b/tasks/install_server.yml
@ -133,18 +133,21 @@

 - name: Secure etcd directory
  file:
-    path: "/var/lib/etcd"
+    path: "{{ item }}"
    state: directory
    owner: root
    group: root
    mode: 0700
+  with_items:
+    - "/var/lib/etcd"
+    - "/etc/kubernetes/policies"
  when:
    - kubernetes_master|bool

 - name: Configure kubelet service
  file:
-    src: "etc/kubernetes/audit-policy.yaml"
-    dest: "/etc/kubernetes/audit-policy.yaml"
+    src: "etc/kubernetes/policies/audit-policy.yaml"
+    dest: "/etc/kubernetes/policies/audit-policy.yaml"
    group: root
    owner: root
    mode: 0644
--- a/templates/kubeadm-config.yaml.j2
+++ b/templates/kubeadm-config.yaml.j2
@ -80,7 +80,7 @@ apiServer:
  extraArgs:
    enable-admission-plugins: NodeRestriction,PodSecurityPolicy
    authorization-mode: "Node,RBAC"
-    audit-policy-file: "/etc/kubernetes/audit-policy.yaml"
+    audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
    audit-log-path: "/var/log/apiserver/audit.log"
    audit-log-maxage: "30"
    audit-log-maxbackup: "10"
@ -91,6 +91,11 @@ apiServer:
    mountPath: "/var/log/apiserver"
    readOnly: false
    pathType: DirectoryOrCreate
+  - name: "audit-policies"
+    hostPath: "/etc/kubernetes/policies"
+    mountPath: "/etc/kubernetes/policies"
+    readOnly: false
+    pathType: DirectoryOrCreate
 {% if lb_kubemaster is defined %}
  certSANs:
  - "{{ lb_kubemaster }}"