IPCEICIS-2952 #20
Loading…
Reference in a new issue
No description provided.
Delete branch "IPCEI-2952"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
see https://jira.telekom-mms.com/browse/IPCEICIS-2952
- mountPath: /var/log name: log-storage readOnly: falseIPCEI-2952to IPCEICIS-2952image: alpine:latest command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: runAsUser: 100 volumeMounts: - name: host-log-storage mountPath: /openbao/logs - name: logrotate-config mountPath: /etc/logrotate.conf subPath: logrotate.conf# mountPath: /etc/logrotate.conf # subPath: logrotate.confkind: DaemonSet metadata: name: openbao-logging-dir namespace: openbao spec: selector: matchLabels: app: openbao-logging-dir template: metadata: labels: app: openbao-logging-dir spec: initContainers: - name: creator image: busybox command: ["/bin/sh", "-c"] args: - | set -e mkdir -p /var/log/openbao chown 100:100 /var/log/openbao securityContext: runAsUser: 0 volumeMounts: - name: host-log mountPath: /var/log containers: - name: running-container image: busybox command: ["sleep", "infinity"] volumes: - name: host-log hostPath: path: /var/log type: Directoryimage: imroc/logrotate:latest env: - name: LOGROTATE_FILE_PATTERN value: "/var/log/nginx/nginx_*.log" - name: LOGROTATE_FILESIZE value: "20M" - name: LOGROTATE_FILENUM value: "10" - name: CRON_EXPR value: "*/1 * * * *" - name: CROND_LOGLEVEL value: "7"mountPath: /etc/logrotate.conf subPath: logrotate.conf readOnly: trueset -e useradd -u 100 logrotate chown logrotate:logrotate /var/lib tail -f /dev/nullchown 100:100 /var/lib tail -f /dev/nullecho "logrotate❌100:" >> /etc/groupmkdir -p /var/log/openbao chown 100:100 /var/log/openbao echo "logrotate❌100💯:/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate❌100:" >> /etc/group chown logrotate:logrotate /var/libmkdir -p /var/log/openbao chown 100:100 /var/log/openbao echo "logrotate❌100💯:/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate❌100:" >> /etc/group mkdir -p /home/logrotate # chown 100:100 /var/lib- chmod o+rwx /etc/passwd - chmod o+rwx /etc/group- | chmod o+rwx /etc/passwd chmod o+rwx /etc/groupmountPath: /etc/passwd subPath: passwd- name: CRON_SCHEDULE value: "0 * * * *" - name: TINI_SUBREAPER value:- name: host-log-storage mountPath: /openbao/logsimage: nginx:latest ports: - containerPort: 8080 volumeMounts: - name: idecar-script mountPath: /etc/nginx subPath: nginx.conf subPathExpr: 'nginx.conf' - name: idecar-script mountPath: /tmp/sidecar.sh subPath: sidecar.sh mode: 0755 - name: passwd-volume mountPath: /etc/passwd subPath: passwdmountPath: /etc/passwd subPath: passwdThere are multiple components needed for the logging of OpenBao audits:
openbao-logging.yaml - References the openbao-logging directory.
openbao-logging/create-logging-directory.yaml - DaemonSet that creates a directory on the node's hostPath. Since this task has to be done by a priviledged user and we have a non-root policy for pods which doesn't apply to DeamonSets this appears to be the only possible solution.
openbao-logging/logrotate-configmap.yaml - Consists of the logrotate.conf file which speciefies how the logrotation should happen. It's mounted to the CronJob.
openbao-logging/logrotate-cronjob.yaml - The definition of the CronJob which runs every hour.
openbao-logging/passwd-user-configmap.yaml - Needed for identifying as the user openbao:100 which is required to …
openbao-logging/sidecar-script-configmap.yaml - Responsible for setting up two scripts: start.sh - for starting a server listening on the port 3030 for the signal from the CronJob; sidecar.sh - for sending the SIGHUP to openbao.
openbao-logging/sidecar-script-service.yaml - The service for the sidecar container inside the openbao-0 pod
openbao/values.yaml - Sets up a sidecar container called "sidecar" which is allowed to access the bao process and enables a File Audit Device one the node's hostPath.
Pull request closed