From 743684edd41fe5141e977702415913452ad9f3ca Mon Sep 17 00:00:00 2001
From: Adrien <adrien@reslinger.net>
Date: Thu, 30 Jul 2020 18:31:04 +0200
Subject: [PATCH] Fix audit-policies deployment

---
 .../etc/kubernetes/policies}/audit-policy.yaml           | 0
 tasks/install_server.yml                                 | 9 ++++++---
 templates/kubeadm-config.yaml.j2                         | 7 ++++++-
 3 files changed, 12 insertions(+), 4 deletions(-)
 rename {tasks/files/etc/kubernetes => files/etc/kubernetes/policies}/audit-policy.yaml (100%)

diff --git a/tasks/files/etc/kubernetes/audit-policy.yaml b/files/etc/kubernetes/policies/audit-policy.yaml
similarity index 100%
rename from tasks/files/etc/kubernetes/audit-policy.yaml
rename to files/etc/kubernetes/policies/audit-policy.yaml
diff --git a/tasks/install_server.yml b/tasks/install_server.yml
index d2d9e58..b0b9c3a 100644
--- a/tasks/install_server.yml
+++ b/tasks/install_server.yml
@@ -133,18 +133,21 @@
 
 - name: Secure etcd directory
   file:
-    path: "/var/lib/etcd"
+    path: "{{ item }}"
     state: directory
     owner: root
     group: root
     mode: 0700
+  with_items:
+    - "/var/lib/etcd"
+    - "/etc/kubernetes/policies"
   when:
     - kubernetes_master|bool
 
 - name: Configure kubelet service
   file:
-    src: "etc/kubernetes/audit-policy.yaml"
-    dest: "/etc/kubernetes/audit-policy.yaml"
+    src: "etc/kubernetes/policies/audit-policy.yaml"
+    dest: "/etc/kubernetes/policies/audit-policy.yaml"
     group: root
     owner: root
     mode: 0644
diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2
index b4a0865..e98a1e3 100644
--- a/templates/kubeadm-config.yaml.j2
+++ b/templates/kubeadm-config.yaml.j2
@@ -80,7 +80,7 @@ apiServer:
   extraArgs:
     enable-admission-plugins: NodeRestriction,PodSecurityPolicy
     authorization-mode: "Node,RBAC"
-    audit-policy-file: "/etc/kubernetes/audit-policy.yaml"
+    audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
     audit-log-path: "/var/log/apiserver/audit.log"
     audit-log-maxage: "30"
     audit-log-maxbackup: "10"
@@ -91,6 +91,11 @@ apiServer:
     mountPath: "/var/log/apiserver"
     readOnly: false
     pathType: DirectoryOrCreate
+  - name: "audit-policies"
+    hostPath: "/etc/kubernetes/policies"
+    mountPath: "/etc/kubernetes/policies"
+    readOnly: false
+    pathType: DirectoryOrCreate
 {% if lb_kubemaster is defined %}
   certSANs:
   - "{{ lb_kubemaster }}"