@@ -76,6 +76,24 @@ In both cases, audit events structure is defined by the API in the
7676` audit.k8s.io` API group. The current version of the API is
7777[`v1beta1`][auditing-api].
7878
79+ **Note:** In case of patches, request body is a JSON array with patch operations, not a JSON object
80+ with an appropriate Kubernetes API object. For example, the following request body is a valid patch
81+ request to `/apis/batch/v1/namespaces/some-namespace/jobs/some-job-name`.
82+
83+ ` ` ` json
84+ [
85+ {
86+ "op": "replace",
87+ "path": "/spec/parallelism",
88+ "value": 0
89+ },
90+ {
91+ "op": "remove",
92+ "path": "/spec/template/spec/containers/0/terminationMessagePolicy"
93+ }
94+ ]
95+ ` ` `
96+
7997# ## Log backend
8098
8199Log backend writes audit events to a file in JSON format. You can configure
@@ -95,14 +113,62 @@ audit backend using the following kube-apiserver flags:
95113
96114- ` --audit-webhook-config-file` specifies the path to a file with a webhook
97115 configuration. Webhook configuration is effectively a [kubeconfig][kubeconfig].
98- - `--audit-webhook-mode` define the buffering strategy, one of the following :
99- - ` batch` - buffer events and asynchronously send the set of events to the external service
100- This is the default
101- - ` blocking` - block API server responses on sending each event to the external service
116+ - ` --audit-webhook-initial-backoff` specifies the amount of time to wait after the first failed
117+ request before retrying. Subsequent requests are retried with exponential backoff.
102118
103119The webhook config file uses the kubeconfig format to specify the remote address of
104120the service and credentials used to connect to it.
105121
122+ # ## Batching
123+
124+ Both log and webhook backends support batching. Using webhook as an example, here's the list of
125+ available flags. To get the same flag for log backend, replace `webhook` with `log` in the flag
126+ name. By default, batching is enabled in `webhook` and disabled in `log`. Similarly, by default
127+ throttling is enabled in `webhook` and disabled in `log`.
128+
129+ - `--audit-webhook-mode` defines the buffering strategy. One of the following :
130+ - ` batch` - buffer events and asynchronously process them in batches. This is the default.
131+ - ` blocking` - block API server responses on processing each individual event.
132+
133+ The following flags are used only in the `batch` mode.
134+
135+ - ` --audit-webhook-batch-buffer-size` defines the number of events to buffer before batching.
136+ If the rate of incoming events overflows the buffer, events are dropped.
137+ - ` --audit-webhook-batch-max-size` defines the maximum number of events in one batch.
138+ - ` --audit-webhook-batch-max-wait` defines the maximum amount of time to wait before unconditionally
139+ batching events in the queue.
140+ - ` --audit-webhook-batch-throttle-qps` defines the maximum average number of batches generated
141+ per second.
142+ - ` --audit-webhook-batch-throttle-burst` defines the maximum number of batches generated at the same
143+ moment if the allowed QPS was underutilized previously.
144+
145+ # ### Parameter tuning
146+
147+ Parameters should be set to accommodate the load on the apiserver.
148+
149+ For example, if kube-apiserver receives 100 requests each second, and each request is audited only
150+ on `StageResponseStarted` and `StageResponseComplete` stages, you should account for ~200 audit
151+ events being generated each second. Assuming that there are up to 100 events in a batch,
152+ you should set throttling level at at least 2 QPS. Assuming that the backend can take up to
153+ 5 seconds to write events, you should set the buffer size to hold up to 5 seconds of events, i.e.
154+ 10 batches, i.e. 1000 events.
155+
156+ In most cases however, the default parameters should be sufficient and you don't have to worry about
157+ setting them manually. You can look at the following Prometheus metrics exposed by kube-apiserver
158+ and in the logs to monitor the state of the auditing subsystem.
159+
160+ - ` apiserver_audit_event_total` metric contains the total number of audit events exported.
161+ - ` apiserver_audit_error_total` metric contains the total number of events dropped due to an error
162+ during exporting.
163+
164+ # # Multi-cluster setup
165+
166+ If you're extending the Kubernetes API with the [aggregation layer][kube-aggregator], you can also
167+ set up audit logging for the aggregated apiserver. To do this, pass the configuration options in the
168+ same format as described above to the aggregated apiserver and set up the log ingesting pipeline
169+ to pick up audit logs. Different apiservers can have different audit configurations and different
170+ audit policies.
171+
106172# # Log Collector Examples
107173
108174# ## Use fluentd to collect and distribute audit events from log file
@@ -254,8 +320,8 @@ plugin which supports full-text search and analytics.
254320
255321# # Legacy Audit
256322
257- __Note:__ Legacy Audit is deprecated and is disabled by default since Kubernetes 1.8.
258- To fallback to this legacy audit, disable the advanced auditing feature
323+ __Note:__ Legacy Audit is deprecated and is disabled by default since Kubernetes 1.8. Legacy Audit
324+ will be removed in 1.12. To fallback to this legacy audit, disable the advanced auditing feature
259325using the `AdvancedAuditing` feature gate in [kube-apiserver][kube-apiserver] :
260326
261327` ` `
@@ -303,3 +369,4 @@ and `audit-log-maxage` options.
303369[fluentd_install_doc] : http://docs.fluentd.org/v0.12/articles/quickstart#step1-installing-fluentd
304370[logstash] : https://www.elastic.co/products/logstash
305371[logstash_install_doc] : https://www.elastic.co/guide/en/logstash/current/installing-logstash.html
372+ [kube-aggregator] : /docs/concepts/api-extension/apiserver-aggregation
0 commit comments