- Use a webhook vs. file backend (maybe cloudrun?)
- This might only be possible if Docker is running as root - need to test
Make a temporary directory to host files to be mounted in KinD.
mkdir -p /tmp/api/
Create an audit-policy.yaml file.
cat <<EOF > /tmp/api/audit-policy.yaml
# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
EOF
Create an kind-config.yaml file.
cat <<EOF > kind-config.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
PodSecurity: true
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: ClusterConfiguration
apiServer:
extraArgs:
audit-log-path: /etc/kubernetes/audit/audit.log
audit-policy-file: /etc/kubernetes/audit/audit-policy.yaml
extraVolumes:
- name: audit-policy
hostPath: /etc/kubernetes/audit
mountPath: /etc/kubernetes/audit
readOnly: false
pathType: "DirectoryOrCreate"
extraMounts:
- hostPath: /tmp/api/
containerPath: /etc/kubernetes/audit
readOnly: false
selinuxRelabel: false
propagation: None
EOF
Validate your directory is clean.
$ ls -lah /tmp/api/
total 12K
drwxrwxr-x 2 jangel jangel 4.0K Aug 20 02:05 .
drwxrwxrwt 14 root root 4.0K Aug 20 02:09 ..
-rw-rw-r-- 1 jangel jangel 108 Aug 20 01:49 audit-policy.yaml
Launch your cluster!
kind create cluster --image=kindest/node:v1.22.0@sha256:b8bda84bb3a190e6e028b1760d277454a72267a5454b57db34437c34a588d047 --config kind-config.yaml
Output looks similar to:
Creating cluster "kind" ...
β Ensuring node image (kindest/node:v1.22.0) πΌ
β Preparing nodes π¦
β Writing configuration π
β Starting control-plane πΉοΈ
β Installing CNI π
β Installing StorageClass πΎ
Set kubectl context to "kind-kind"
You can now use your cluster with:
kubectl cluster-info --context kind-kind
Not sure what to do next? π
Check out https://kind.sigs.k8s.io/docs/user/quick-start/
Once complete, let's check out those audit logs!
sudo cat /tmp/api/audit.log
Just a reminder for those attempting this on a Mac that the file and the directory need to be created in the container and not on the host. For example using podman, this would be in the podman machine.