This repository has been archived by the owner on Dec 13, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkubernetes-audit-tailer-broken.yaml
121 lines (121 loc) · 3.01 KB
/
kubernetes-audit-tailer-broken.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubernetes-audit-tailer
namespace: kube-system
labels:
k8s-app: kubernetes-audit-tailer
spec:
selector:
matchLabels:
k8s-app: kubernetes-audit-tailer
template:
metadata:
labels:
k8s-app: kubernetes-audit-tailer
app: kubernetes-audit-tailer
networking.gardener.cloud/to-public-networks: allowed
spec:
# it's better to disable the service links as the default args do not work properly otherwise (metal#64)
enableServiceLinks: False
securityContext:
runAsUser: 65534
containers:
- image: alpine
command:
- "nc"
- "-l"
- "-p"
- "24224"
imagePullPolicy: IfNotPresent
name: kubernetes-audit-tailer
env:
# This is supposed to limit fluentd memory usage. See https://docs.fluentd.org/deployment/performance-tuning-single-process#reduce-memory-usage.
- name: RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR
value: "1.2"
ports:
- containerPort: 24224
protocol: TCP
volumeMounts:
- name: fluentd-config
mountPath: /fluentd/etc
- name: fluentd-certs
mountPath: /fluentd/etc/ssl
- name: fluentbuffer
mountPath: /fluentbuffer
resources:
limits:
cpu: 100m
memory: 200Mi
restartPolicy: Always
volumes:
- name: fluentd-config
configMap:
name: kubernetes-audit-tailer-config
- name: fluentd-certs
secret:
secretName: audittailer-server
- name: fluentbuffer
emptyDir: {}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kubernetes-audit-tailer-config
namespace: kube-system
labels:
app.kubernetes.io/name: kubernetes-audit-tailer
data:
fluent.conf: |
<source>
@type forward
port 24224
bind 0.0.0.0
<transport tls>
ca_path /fluentd/etc/ssl/ca.crt
cert_path /fluentd/etc/ssl/audittailer-server.crt
private_key_path /fluentd/etc/ssl/audittailer-server.key
# private_key_passphrase YOUR_PASSPHRASE
client_cert_auth true
</transport>
</source>
<match **>
@type stdout
<buffer>
@type file
path /fluentbuffer/auditlog-*
chunk_limit_size 256Mb
# This was for memory buffer:
# total_limit_size 128Mb
# chunk_limit_size 8Mb
</buffer>
<format>
@type json
</format>
</match>
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-audit-tailer
namespace: kube-system
labels:
app: kubernetes-audit-tailer
spec:
# selector:
# app: kubernetes-audit-tailer
ports:
- port: 24224
targetPort: 24224
---
kind: Endpoints
apiVersion: v1
metadata:
name: kubernetes-audit-tailer
namespace: kube-system
subsets:
- addresses:
- ip: 203.0.113.114
ports:
- port: 24224