Updating API Audit Logging Parameters using Qbert API Leads to Duplicate Entries.

Problem

  • While using the below Qbert API call with few sample API Audit Logging parameters;
Bash
Copy

We could see duplicate entries in the /opt/pf9/pf9-kube/conf/master.yaml

Bash
Copy

Environment

  • Platform9 Managed Kubernetes - v5.6.8

    • PF9-Kube - 1.22.9-pmk.384
    • PF9-Kube - 1.23.8-pmk.373
  • Platform9 Edge Cloud - LTS2 #4

Cause

  • Starting with the above mentioned releases, below parameters are by default baked with PF9-Kube package. This was introduced as part of a vulnerability scan.
Bash
Copy
  • Using the Qbert API to update the Audit logging API server arguments may help the values persist even after cluster upgrades, but, is currently not recommended as it adds new entries instead of overriding the existing ones as seen in the Problem section.
  • This is currently tracked under JIRA AIR-1101 and PMK-5901.

Workaround

  • The current workaround is to manually update the _/opt/pf9/pf9-kube/conf/masterconfig/base/centos/master.yaml_ file on each master node followed by a PMK stack restart.

This method doesn't persist the values after cluster upgrades and needs to be manually updated after every upgrade.

  1. Modify/Edit the below parameters on each master node:
Bash
Copy
  1. Restart the PMK stack one by one on all the master nodes:
Bash
Copy
  1. Verify the content of _/opt/pf9/pf9-kube/conf/pod-manifests/master.yaml_ to make sure the above values are reflected in the actual master configuration.
Bash
Copy
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard