我的书签
添加书签
移除书签1 - API审计日志
您可以在Rancher安装或升级期间启用API审计。
以下定义了有关审计日志记录的内容以及包含哪些数据的规则:
下表显示了每个AUDIT_LEVEL设置,记录的API事务具体内容。
AUDIT_LEVEL设置 | Request Header | Request Body | Response Header | Response Body |
|---|---|---|---|---|
0 | ||||
1 | ✓ | |||
2 | ✓ | ✓ | ||
3 | ✓ | ✓ | ✓ | ✓ |
要启用API审计日志,请停止运行的Rancher容器,然后使用以下命令重新启动它。此命令包含打开API审计的参数,有关与API审计相关的每个AUDIT_LEVEL使用的详细信息,请参阅API审计日志设置选项。
- RKE HA 安装 (仅支持Rancher v2.0.8之前的版本)
在RKE 配置文件中,给Rancher容器添加以下参数:
- 添加API审计功能参数到Rancher容器的
args中; - 在容器的
volumemount参数中声明一个mountPath; - 在
volumes配置中声明一个path;
示例配置:
...containers:- image: rancher/rancher:stable (或者rancher/rancher:latest)imagePullPolicy: Alwaysname: cattle-serverargs: ["--audit-log-path", "/var/log/auditlog/rancher-api-audit.log", "--audit-log-maxbackup", "5", "--audit-log-maxsize", "50", "--audit-level", "2"]ports:- containerPort: 80protocol: TCP- containerPort: 443protocol: TCPvolumeMounts:- mountPath: /etc/rancher/sslname: cattle-keys-volumereadOnly: true- mountPath: /var/log/auditlogname: audit-log-dirvolumes:- name: cattle-keys-volumesecret:defaultMode: 420secretName: cattle-keys-server- name: audit-log-dirhostPath:path: /var/log/rancher/auditlogtype: Directory
- Chart HA安装(适用于Rancherv2.1.0及以后版本)
在使用Helm chart安装Rancher时启用API审计功能,会在Rancher pod中创建一个rancher-audit-log sidecar容器。 此容器将API审计日志发送到标准输出,可以通过查看容器日志的方式查看API审计日志rancher-audit-log容器位于rancher pod所在的cattle-system 命名空间中。
启用日志审计:
单节点安装Rancher server时,与主机系统共享AUDIT_LOG_PATH目录(默认:/var/log/auditlog)。日志可以通过标准CLI工具进行查看,也可以转发到日志收集工具,如Fluentd,Filebeat,Logstash等。
在使用Helm chart安装Rancher时启用API审计功能,会在Rancher pod中创建一个rancher-audit-log sidecar容器。 此容器将API审计日志发送到标准输出,可以通过查看容器日志的方式查看API审计日志。
rancher-audit-log 容器位于rancher pod所在的cattle-system 命名空间中。
通过CLI查看
通过Rancher Web GUI查看
- 从下拉菜单中, 切换到 Cluster: local > System项目下
- 从工作负载菜单中,找到
cattle-system命名空间,并找到rancher工作负载。
- 通过 Ellipsis (…) > View Logs查看
rancherpods日志
- 从Logs下拉菜单中,选择
rancher-audit-log
收集API审计日志
可以为集群启用Rancher的内置日志收集功能,将审计和其他服务日志发送到受支持的收集服务。
如果设置AUDIT_LEVEL为1,Rancher会记录每个API请求的元数据标头,但不会记录正文。标题提供有关API事务的基本信息,例如事务的ID,发起事务的人员,事件发生的时间等。
{"auditID": "30022177-9e2e-43d1-b0d0-06ef9d3db183","requestURI": "/v3/schemas","sourceIPs": ["::1"],"user": {"name": "user-f4tt2","group": ["system:authenticated"]},"verb": "GET","stageTimestamp": "2018-07-20 10:22:43 +0800"}
如果设置AUDIT_LEVEL为2,Rancher会记录每个API请求的元数据标题和正文。下面的代码示例描述了一个API请求,包含其元数据头和正文。
如果您设置AUDIT_LEVEL为3,Rancher将记录:
- 每个API请求的元数据标头和正文。
- 每个API响应的元数据标头和正文。
下面的代码示例描述了一个API请求,它有元数据头和正文。
{"auditID": "a886fd9f-5d6b-4ae3-9a10-5bff8f3d68af","requestURI": "/v3/project/c-bcz5t:p-fdr4s/workloads/deployment:default:nginx","sourceIPs": ["::1"],"user": {"name": "user-f4tt2","system:authenticated"]},"verb": "PUT","stage": "RequestReceived","stageTimestamp": "2018-07-20 10:33:06 +0800","requestBody": {"hostIPC": false,"hostNetwork": false,"hostPID": false,"paused": false,"annotations": {},"baseType": "workload","containers": [{"allowPrivilegeEscalation": false,"image": "nginx","imagePullPolicy": "Always","initContainer": false,"name": "nginx","ports": [{"containerPort": 80,"dnsName": "nginx-nodeport","kind": "NodePort","name": "80tcp01","protocol": "TCP","sourcePort": 0,"type": "/v3/project/schemas/containerPort"}],"privileged": false,"readOnly": false,"resources": {"type": "/v3/project/schemas/resourceRequirements","requests": {},"limits": {}},"restartCount": 0,"runAsNonRoot": false,"stdin": true,"stdinOnce": false,"terminationMessagePath": "/dev/termination-log","terminationMessagePolicy": "File","tty": true,"type": "/v3/project/schemas/container","environmentFrom": [],"capAdd": [],"capDrop": [],"livenessProbe": null,"volumeMounts": []}],"created": "2018-07-18T07:34:16Z","createdTS": 1531899256000,"creatorId": null,"deploymentConfig": {"maxSurge": 1,"maxUnavailable": 0,"minReadySeconds": 0,"progressDeadlineSeconds": 600,"revisionHistoryLimit": 10,"strategy": "RollingUpdate"},"deploymentStatus": {"availableReplicas": 1,"conditions": ["lastTransitionTime": "2018-07-18T07:34:38Z","lastTransitionTimeTS": 1531899278000,"lastUpdateTime": "2018-07-18T07:34:38Z","lastUpdateTimeTS": 1531899278000,"message": "Deployment has minimum availability.","status": "True","type": "Available"},{"lastTransitionTime": "2018-07-18T07:34:16Z","lastTransitionTimeTS": 1531899256000,"lastUpdateTime": "2018-07-18T07:34:38Z","lastUpdateTimeTS": 1531899278000,"message": "ReplicaSet \"nginx-64d85666f9\" has successfully progressed.","reason": "NewReplicaSetAvailable","status": "True","type": "Progressing"}],"observedGeneration": 2,"readyReplicas": 1,"replicas": 1,"type": "/v3/project/schemas/deploymentStatus","unavailableReplicas": 0,"updatedReplicas": 1},"dnsPolicy": "ClusterFirst","id": "deployment:default:nginx","labels": {"workload.user.cattle.io/workloadselector": "deployment-default-nginx"},"name": "nginx","namespaceId": "default","projectId": "c-bcz5t:p-fdr4s","publicEndpoints": [{"addresses": ["10.64.3.58"],"allNodes": true,"ingressId": null,"nodeId": null,"podId": null,"port": 30917,"protocol": "TCP","serviceId": "default:nginx-nodeport","type": "publicEndpoint"}],"restartPolicy": "Always","scale": 1,"schedulerName": "default-scheduler","selector": {"matchLabels": {"workload.user.cattle.io/workloadselector": "deployment-default-nginx"},"type": "/v3/project/schemas/labelSelector"},"state": "active","terminationGracePeriodSeconds": 30,"transitioning": "no","transitioningMessage": "","type": "deployment","uuid": "f998037d-8a5c-11e8-a4cf-0245a7ebb0fd","workloadAnnotations": {"deployment.kubernetes.io/revision": "1","field.cattle.io/creatorId": "user-f4tt2"},"workloadLabels": {"workload.user.cattle.io/workloadselector": "deployment-default-nginx"},"scheduling": {"node": {}},"description": "my decript","volumes": []}
