We were discussing Falco for auditing.
The actions of uploading the policies and web hook and requiring the kube-apiserver to restart varies from site to site where the Kubernetes cluster is hosted. If the cluster is hosted on the PKS, the actions taken are different from those for minkube. In this case the BOSH cli is used.
This cli can be used when we have the ip address of the coordinator and the credentials to use it are set via environment variables.
The commands are:
1. ssh ubuntu@<pks-api-server>
2. pks login -a <pks-api-server> -u <admin> -p <password> --skip-ssl-validation
3. pks cluster <cluster-name> # which gives the k8s cluster ID
4. bosh vms -d service-instance_<k8s cluster ID> # which gives the vms for the cluster
5. bosh -d service-instance_<k8s cluster ID> ssh <VM CID> # corresponding the vm for the master
6. Then we run the commands to bosh scp to upload the audit policy
7. the bosh scp command to upload the web hook declaration
8. The bosh scp command to copy the apiserver-config.patch.sh script file which causes the kube-apiserver to restart when the configurations audit-webhook-config-file and audit-dynamic-configuration changes in /etc/kubernetes/manifests/kube-apiserver.yaml
The audit logs then become available at /var/lib/k8s-audit/audit.log
The actions of uploading the policies and web hook and requiring the kube-apiserver to restart varies from site to site where the Kubernetes cluster is hosted. If the cluster is hosted on the PKS, the actions taken are different from those for minkube. In this case the BOSH cli is used.
This cli can be used when we have the ip address of the coordinator and the credentials to use it are set via environment variables.
The commands are:
1. ssh ubuntu@<pks-api-server>
2. pks login -a <pks-api-server> -u <admin> -p <password> --skip-ssl-validation
3. pks cluster <cluster-name> # which gives the k8s cluster ID
4. bosh vms -d service-instance_<k8s cluster ID> # which gives the vms for the cluster
5. bosh -d service-instance_<k8s cluster ID> ssh <VM CID> # corresponding the vm for the master
6. Then we run the commands to bosh scp to upload the audit policy
7. the bosh scp command to upload the web hook declaration
8. The bosh scp command to copy the apiserver-config.patch.sh script file which causes the kube-apiserver to restart when the configurations audit-webhook-config-file and audit-dynamic-configuration changes in /etc/kubernetes/manifests/kube-apiserver.yaml
The audit logs then become available at /var/lib/k8s-audit/audit.log
No comments:
Post a Comment