# Copyright 2019 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: Namespace metadata: name: cos-auditd --- apiVersion: apps/v1 kind: DaemonSet metadata: name: cos-auditd-logging namespace: cos-auditd annotations: kubernetes.io/description: 'DaemonSet that enables Linux auditd logging on non-Autopilot COS nodes.' spec: selector: matchLabels: name: cos-auditd-logging template: metadata: labels: name: cos-auditd-logging spec: # Necessary for ensuring access to Google Cloud credentials from the node's metadata server. hostNetwork: true hostPID: true dnsPolicy: Default initContainers: - name: cos-auditd-setup image: ubuntu command: ["chroot", "/host", "systemctl", "start", "cloud-audit-setup"] securityContext: privileged: true volumeMounts: - name: host mountPath: /host resources: requests: memory: "10Mi" cpu: "10m" containers: - name: cos-auditd-fluent-bit securityContext: allowPrivilegeEscalation: false capabilities: drop: - all add: - DAC_OVERRIDE env: - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName # Substitute these (manually or via envsubst). For example, run # `CLUSTER_NAME=example-cluster CLUSTER_LOCATION=us-central1-a envsubst '$CLUSTER_NAME,$CLUSTER_LOCATION' < ${THIS_FILE:?} | kubectl apply -f -` - name: CLUSTER_NAME value: "$CLUSTER_NAME" - name: CLUSTER_LOCATION value: "$CLUSTER_LOCATION" image: gke.gcr.io/fluent-bit@sha256:b148f7f960f101b6d52efd909fe43fef73cb40cee3571da61034974965605b66 # v1.8.12-gke.31 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: / port: 2024 initialDelaySeconds: 120 periodSeconds: 60 timeoutSeconds: 5 ports: - name: metrics containerPort: 2024 resources: limits: cpu: "1" memory: 500Mi requests: cpu: 100m memory: 200Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/log name: varlog - mountPath: /var/lib/cos-auditd-fluent-bit/pos-files name: varlib-cos-auditd-fluent-bit-pos-files - mountPath: /fluent-bit/etc name: config-volume nodeSelector: cloud.google.com/gke-os-distribution: cos restartPolicy: Always terminationGracePeriodSeconds: 120 tolerations: - operator: "Exists" effect: "NoExecute" - operator: "Exists" effect: "NoSchedule" volumes: - name: host hostPath: path: / - name: varlog hostPath: path: /var/log - name: varlibcos-auditd-fluent-bit hostPath: path: /var/lib/cos-auditd-fluent-bit type: DirectoryOrCreate - name: varlib-cos-auditd-fluent-bit-pos-files hostPath: path: /var/lib/cos-auditd-fluent-bit/pos-files type: DirectoryOrCreate - name: config-volume configMap: name: cos-auditd-fluent-bit-config updateStrategy: type: RollingUpdate --- kind: ConfigMap apiVersion: v1 metadata: name: cos-auditd-fluent-bit-config namespace: cos-auditd annotations: kubernetes.io/description: 'ConfigMap for Linux auditd logging daemonset on COS nodes.' data: fluent-bit.conf: |- [SERVICE] Flush 5 Grace 120 Log_Level info Daemon off HTTP_Server On HTTP_Listen 0.0.0.0 HTTP_PORT 2024 [INPUT] # https://docs.fluentbit.io/manual/input/systemd Name systemd Alias audit Tag audit Systemd_Filter SYSLOG_IDENTIFIER=audit Path /var/log/journal DB /var/lib/cos-auditd-fluent-bit/pos-files/audit.db Buffer_Max_Size 20MB Mem_Buf_Limit 20MB [FILTER] # https://docs.fluentbit.io/manual/pipeline/filters/modify Name modify Match audit Add logging.googleapis.com/local_resource_id k8s_node.${NODE_NAME} [FILTER] Name modify Match audit Add logging.googleapis.com/logName linux-auditd [OUTPUT] # https://docs.fluentbit.io/manual/pipeline/outputs/stackdriver Name stackdriver Match audit Severity_key severity log_name_key logging.googleapis.com/logName Resource k8s_node # The plugin will read the project ID from the metadata server, but not the cluster name and location for some reason, so they have to be injected. k8s_cluster_name ${CLUSTER_NAME} k8s_cluster_location ${CLUSTER_LOCATION} net.connect_timeout 60 Retry_Limit 14 Workers 1