kube-prometheus
kube-prometheus copied to clipboard
addon: prometheus-adapter addon to enable audit logs
Description
This addon configures Prometheus Adapter to turn on audit logs. Enabling audit log requires passing in a Policy file to the adapater. The addon adds a list policies that match K8S Policy log-level such as
- None
- Metadata
- RequestResponse
- Request
See: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy
The adapter will be configured to log at a Metadata level by default which can be configured by setting values.pa.auditProfile See examples/prometheus-adapter-audit-example.jsonnet
Type of change
What type of changes does your code introduce to the kube-prometheus? Put an x
in the box that apply.
- [ ]
CHANGE
(fix or feature that would cause existing functionality to not work as expected) - [x]
FEATURE
(non-breaking change which adds functionality) - [ ]
BUGFIX
(non-breaking change which fixes an issue) - [ ]
ENHANCEMENT
(non-breaking change which improves existing functionality) - [ ]
NONE
(if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)
Changelog entry
New addon for Prometheus Adapater to configure audit logs.
This should be a part of prometheus-adapter.libsonnet and be conditionally enabled. I don't see any reason for this to be an addon.
That's a fair point, having it conditionally enable sounds better suited since it is essentially part of the prometheus-adapter component. At first, I was thinking more about having an addon that would enable audit log on top of the default configuration, but I prefer your approach. Sorry for the inconvenience @sthaha.
Since we are bounding the size of the audit log file to 100Mb, I think enabling the Metadata
level by default shouldn't be a problem and it will only be beneficial to the kube-prometheus users. For what it's worth once the audit log file is full, it is rotated to be able to continue to gather new audit logs while only keeping the freshest ones.
conditionally enabled
@paulfantom could you please shed some light into how you would like it be conditionally enabled? Is there a precedence/ or an example I can copy from?
You can take the thanos sidecar setup of Prometheus as an example: https://github.com/prometheus-operator/kube-prometheus/blob/main/jsonnet/kube-prometheus/components/prometheus.libsonnet#L330-L344