OpenShiftでは、ClusterLogForwarderを使用してAudit Logsを転送します。
 |
重要type: vectorをtype: fluentdの代わりに使用してください。FluentdにはContent-Typeの互換性の問題があります。 |
手順
- Red Hat OpenShift Logging Operatorをインストールします。
# Create namespace oc create namespace openshift-logging # Create operator group cat <<EOF | oc apply -f - apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: cluster-logging-og namespace: openshift-logging spec: targetNamespaces: - openshift-logging EOF # Install logging operator cat <<EOF | oc apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: cluster-logging namespace: openshift-logging spec: channel: stable name: cluster-logging source: redhat-operators sourceNamespace: openshift-marketplace EOF # Confirm installation (wait for PHASE: Succeeded) oc get csv -n openshift-logging
- ClusterLoggingインスタンスを作成します。
cat <<EOF | oc apply -f - apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: name: instance namespace: openshift-logging spec: collection: type: vector EOF - ClusterLogForwarderを作成します。
cat <<EOF | oc apply -f - apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: filters: - name: rbac-only type: kubeAPIAudit kubeAPIAudit: rules: - level: RequestResponse verbs: ["create", "update", "patch", "delete"] resources: - group: "rbac.authorization.k8s.io" resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"] - level: Metadata verbs: ["get", "list", "watch"] resources: - group: "rbac.authorization.k8s.io" resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"] - level: Metadata verbs: ["create"] resources: - group: "authorization.k8s.io" resources: ["subjectaccessreviews", "selfsubjectaccessreviews", "localsubjectaccessreviews"] - level: Metadata verbs: ["create", "update", "delete"] resources: - group: "" resources: ["serviceaccounts"] - level: None outputs: - name: trendmicro-audit-collector type: http url: http://trendmicro-audit-log-collector.trendmicro-system.svc:8030/k8s-audit http: method: POST headers: Content-Type: application/json pipelines: - name: audit-to-trendmicro inputRefs: - audit filterRefs: - rbac-only outputRefs: - trendmicro-audit-collector EOF - 構成を確認してください。
oc get pods -n openshift-logging oc get clusterlogforwarder instance -n openshift-logging -o yaml