diff --git a/pkg/providers/tinkerbell/controlplane_test.go b/pkg/providers/tinkerbell/controlplane_test.go index 0c0cb4805937..ca5cdfff2ff2 100644 --- a/pkg/providers/tinkerbell/controlplane_test.go +++ b/pkg/providers/tinkerbell/controlplane_test.go @@ -240,9 +240,24 @@ spec: imageTag: v1.8.3-eks-1-21-4 apiServer: extraArgs: + audit-policy-file: /etc/kubernetes/audit-policy.yaml + audit-log-path: /var/log/kubernetes/api-audit.log + audit-log-maxage: "30" + audit-log-maxbackup: "10" + audit-log-maxsize: "512" authentication-token-webhook-config-file: /etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml feature-gates: ServiceLoadBalancerClass=true extraVolumes: + - hostPath: /etc/kubernetes/audit-policy.yaml + mountPath: /etc/kubernetes/audit-policy.yaml + name: audit-policy + pathType: File + readOnly: true + - hostPath: /var/log/kubernetes + mountPath: /var/log/kubernetes + name: audit-log-dir + pathType: DirectoryOrCreate + readOnly: false - hostPath: /var/lib/kubeadm/aws-iam-authenticator/ mountPath: /etc/kubernetes/aws-iam-authenticator/ name: authconfig @@ -322,6 +337,8 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - owner: root:root + path: /etc/kubernetes/audit-policy.yaml - content: | # clusters refers to the remote service. clusters: @@ -395,9 +412,24 @@ spec: clusterConfiguration: apiServer: extraArgs: + audit-policy-file: /etc/kubernetes/audit-policy.yaml + audit-log-path: /var/log/kubernetes/api-audit.log + audit-log-maxage: "30" + audit-log-maxbackup: "10" + audit-log-maxsize: "512" authentication-token-webhook-config-file: /etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml feature-gates: ServiceLoadBalancerClass=true extraVolumes: + - hostPath: /etc/kubernetes/audit-policy.yaml + mountPath: /etc/kubernetes/audit-policy.yaml + name: audit-policy + pathType: File + readOnly: true + - hostPath: /var/log/kubernetes + mountPath: /var/log/kubernetes + name: audit-log-dir + pathType: DirectoryOrCreate + readOnly: false - hostPath: /var/lib/kubeadm/aws-iam-authenticator/ mountPath: /etc/kubernetes/aws-iam-authenticator/ name: authconfig @@ -476,6 +508,8 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - owner: root:root + path: /etc/kubernetes/audit-policy.yaml - content: | # clusters refers to the remote service. clusters: diff --git a/pkg/providers/tinkerbell/reconciler/reconciler_test.go b/pkg/providers/tinkerbell/reconciler/reconciler_test.go index 2ad0b2fef5ef..2219f5b77df1 100644 --- a/pkg/providers/tinkerbell/reconciler/reconciler_test.go +++ b/pkg/providers/tinkerbell/reconciler/reconciler_test.go @@ -1203,6 +1203,10 @@ func tinkerbellCP(clusterName string, opts ...cpOpt) *tinkerbell.ControlPlane { Content: "apiVersion: v1\nkind: Pod\nmetadata:\n creationTimestamp: null\n name: kube-vip\n namespace: kube-system\nspec:\n containers:\n - args:\n - manager\n env:\n - name: vip_arp\n value: \"true\"\n - name: port\n value: \"6443\"\n - name: vip_cidr\n value: \"32\"\n - name: cp_enable\n value: \"true\"\n - name: cp_namespace\n value: kube-system\n - name: vip_ddns\n value: \"false\"\n - name: vip_leaderelection\n value: \"true\"\n - name: vip_leaseduration\n value: \"15\"\n - name: vip_renewdeadline\n value: \"10\"\n - name: vip_retryperiod\n value: \"2\"\n - name: address\n value: 1.1.1.1\n image: \n imagePullPolicy: IfNotPresent\n name: kube-vip\n resources: {}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n - NET_RAW\n volumeMounts:\n - mountPath: /etc/kubernetes/admin.conf\n name: kubeconfig\n hostNetwork: true\n volumes:\n - hostPath:\n path: /etc/kubernetes/admin.conf\n name: kubeconfig\nstatus: {}\n", ContentFrom: nil, }, + { + Path: "/etc/kubernetes/audit-policy.yaml", + Owner: "root:root", + }, }, Users: []bootstrapv1.User{ {