From 17d6cace436822265daa56d6dbdcbf21926dbaf0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Kme=C5=A5?= Date: Wed, 14 Dec 2022 12:50:49 +0100 Subject: [PATCH] JSCCE-9848 Add audit policy config --- aws/cluster/cluster-spec.tf | 20 +++++++++++++++++--- aws/cluster/variables.tf | 5 +++++ 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/aws/cluster/cluster-spec.tf b/aws/cluster/cluster-spec.tf index 2acb38d..01b7a2d 100644 --- a/aws/cluster/cluster-spec.tf +++ b/aws/cluster/cluster-spec.tf @@ -1,4 +1,6 @@ locals { + audit_policy_file_path = "/srv/kubernetes/kube-apiserver/audit-policy-config.yaml" + container_networking_params = { amazonvpc = var.container-networking-params-amazonvpc calico = var.container-networking-params-calico @@ -64,8 +66,16 @@ locals { } : {}) ] externalPolicies = var.external-policies - iam = var.iam - keyStore = "s3://${var.kops-state-bucket}/${var.cluster-name}/pki" + fileAssets = var.audit-policy-config == "" ? null : [ + { + name = "audit-policy-config" + path = local.audit_policy_file_path + roles = ["Master"] + content = var.audit-policy-config + } + ] + iam = var.iam + keyStore = "s3://${var.kops-state-bucket}/${var.cluster-name}/pki" kubeAPIServer = merge({ insecureBindAddress = "127.0.0.1" enableAdmissionPlugins = var.enable-admission-plugins @@ -86,7 +96,11 @@ locals { oidcGroupsClaim = var.oidc-groups-claim oidcIssuerURL = var.oidc-issuer-url oidcUsernameClaim = var.oidc-username-claim - }) + }, var.audit-policy-config == "" ? {} : { + auditLogPath = "-" + auditPolicyFile = local.audit_policy_file_path + } + ) kubeControllerManager = { allocateNodeCIDRs = true attachDetachReconcileSyncPeriod = "1m0s" diff --git a/aws/cluster/variables.tf b/aws/cluster/variables.tf index a016a42..17982d4 100644 --- a/aws/cluster/variables.tf +++ b/aws/cluster/variables.tf @@ -1066,3 +1066,8 @@ variable "containerd-log-level" { type = string default = "warn" } + +variable "audit-policy-config" { + type = string + default = "" +}