Managed Kubernetes
Latest
Frequently Asked Questions
Solutions
How Tos
Internal Only
Templates
Powered By
Title
Message
Create new category
What is the title of your new category?
Edit page index title
What is the title of the page index?
Edit category
What is the new title of your category?
Edit link
What is the new title and URL of your link?
Updating API Audit Logging Parameters using Qbert API Leads to Duplicate Entries.
Copy Markdown
Open in ChatGPT
Open in Claude
Problem
- While using the below Qbert API call with few sample API Audit Logging parameters;
Bash
curl -kv --request PUT -H "X-Auth-Token: <MASKED>" -H "Content-Type: application/merge-patch+json" -H "Accept: application/json" --data '{"apiServerFlags": "--audit-policy-file=/var/opt/pf9/kube/apiserver-config/audit-policy.yaml,--audit-log-path=/var/opt/pf9/kube/audit/audit.log,--audit-log-maxage=60,--audit-log-maxsize=200,--audit-log-maxbackup=20"}' https://<DU-FQDN>/qbert/v4/<PROJECT-ID>/clusters/<CLUSTER-UUIDWe could see duplicate entries in the /opt/pf9/pf9-kube/conf/master.yaml
Bash
xxxxxxxxxx$ grep -i audit /opt/pf9/pf9-kube/conf/pod-manifests/master.yaml--- - --audit-log-path=/var/opt/pf9/kube/audit/audit.log - --audit-log-maxage=30 - --audit-log-maxbackup=20 - --audit-log-maxsize=50 - --audit-policy-file=/var/opt/pf9/kube/apiserver-config/audit-policy.yaml - --audit-log-path=/var/opt/pf9/kube/audit/audit.log - --audit-log-maxage=60 - --audit-log-maxsize=200 - --audit-log-maxbackup=20 - mountPath: /var/opt/pf9/kube/audit name: apiserver-audit path: /var/opt/pf9/kube/audit name: apiserver-audit---Environment
Platform9 Managed Kubernetes - v5.6.8
- PF9-Kube - 1.22.9-pmk.384
- PF9-Kube - 1.23.8-pmk.373
Platform9 Edge Cloud - LTS2 #4
Cause
- Starting with the above mentioned releases, below parameters are by default baked with PF9-Kube package. This was introduced as part of a vulnerability scan.
Bash
--audit-log-path=/var/opt/pf9/kube/audit/audit.log --audit-log-maxage=30 --audit-log-maxbackup=20 --audit-log-maxsize=50- Using the Qbert API to update the Audit logging API server arguments may help the values persist even after cluster upgrades, but, is currently not recommended as it adds new entries instead of overriding the existing ones as seen in the Problem section.
- This is currently tracked under JIRA AIR-1101 and PMK-5901.
Workaround
- The current workaround is to manually update the
_/opt/pf9/pf9-kube/conf/masterconfig/base/centos/master.yaml_file on each master node followed by a PMK stack restart.
This method doesn't persist the values after cluster upgrades and needs to be manually updated after every upgrade.
- Modify/Edit the below parameters on each master node:
Bash
xxxxxxxxxx# vi /opt/pf9/pf9-kube/conf/masterconfig/base/centos/master.yaml--- - --audit-policy-file=/var/opt/pf9/kube/apiserver-config/audit-policy.yaml - --audit-log-path=/var/opt/pf9/kube/audit/audit.log - --audit-log-maxage=60 - --audit-log-maxsize=200 - --audit-log-maxbackup=20---- Restart the PMK stack one by one on all the master nodes:
Bash
xxxxxxxxxx# systemctl stop pf9-hostagent pf9-nodeletd# /opt/pf9/nodelet/nodeletd phases restart# systemctl start pf9-hostagent- Verify the content of
_/opt/pf9/pf9-kube/conf/pod-manifests/master.yaml_to make sure the above values are reflected in the actual master configuration.
Bash
xxxxxxxxxx# grep -i audit /opt/pf9/pf9-kube/conf/pod-manifests/master.yaml--- - --audit-policy-file=/var/opt/pf9/kube/apiserver-config/audit-policy.yaml - --audit-log-path=/var/opt/pf9/kube/audit/audit.log - --audit-log-maxage=60 - --audit-log-maxsize=200 - --audit-log-maxbackup=20---VariableType to search · ESC to discard
GlossaryType to search · ESC to discard
InsertType to search · ESC to discard
No matches
Last updated on
Was this page helpful?
Discard Changes
Do you want to discard your current changes and overwrite with the template?
Archive Synced Block
Message
Create new Template
What is this template's title?
Delete Template
Message