search
Ctrlk

Updating API Audit Logging Parameters using Qbert API Leads to Duplicate Entries.

hashtag
Problem

  • While using the below Qbert API call with few sample API Audit Logging parameters;

curl -kv --request PUT -H "X-Auth-Token: <MASKED>" -H "Content-Type: application/merge-patch+json" -H "Accept: application/json" --data '{"apiServerFlags": "--audit-policy-file=/var/opt/pf9/kube/apiserver-config/audit-policy.yaml,--audit-log-path=/var/opt/pf9/kube/audit/audit.log,--audit-log-maxage=60,--audit-log-maxsize=200,--audit-log-maxbackup=20"}' https://<DU-FQDN>/qbert/v4/<PROJECT-ID>/clusters/<CLUSTER-UUID
        We could see duplicate entries in the _/opt/pf9/pf9-kube/conf/master.yaml_
$ grep -i audit /opt/pf9/pf9-kube/conf/pod-manifests/master.yaml
---
    - --audit-log-path=/var/opt/pf9/kube/audit/audit.log
    - --audit-log-maxage=30
    - --audit-log-maxbackup=20
    - --audit-log-maxsize=50
    - --audit-policy-file=/var/opt/pf9/kube/apiserver-config/audit-policy.yaml
    - --audit-log-path=/var/opt/pf9/kube/audit/audit.log
    - --audit-log-maxage=60
    - --audit-log-maxsize=200
    - --audit-log-maxbackup=20
    - mountPath: /var/opt/pf9/kube/audit
      name: apiserver-audit
      path: /var/opt/pf9/kube/audit
    name: apiserver-audit
---

hashtag
Environment

  • Platform9 Managed Kubernetes - v5.6.8

    • PF9-Kube - 1.22.9-pmk.384

    • PF9-Kube - 1.23.8-pmk.373

  • Platform9 Edge Cloud - LTS2 #4

hashtag
Cause

  • Starting with the above mentioned releases, below parameters are by default baked with PF9-Kube package. This was introduced as part of a vulnerability scan.

  • Using the Qbert API to update the Audit logging API server arguments may help the values persist even after cluster upgrades, but, is currently not recommended as it adds new entries instead of overriding the existing ones as seen in the Problem section.

  • This is currently tracked under JIRA AIR-1101 and PMK-5901.

hashtag
Workaround

  • The current workaround is to manually update the _/opt/pf9/pf9-kube/conf/masterconfig/base/centos/master.yaml_ file on each master node followed by a PMK stack restart.

circle-exclamation

Warning

This method doesn't persist the values after cluster upgrades and needs to be manually updated after every upgrade.

  1. Modify/Edit the below parameters on each master node:

  1. Restart the PMK stack one by one on all the master nodes:

  1. Verify the content of _/opt/pf9/pf9-kube/conf/pod-manifests/master.yaml_ to make sure the above values are reflected in the actual master configuration.

PreviousSpeaker pod fails to announce service if ExternalTrafficPolicy is changed to LocalNextVault Token Expired Prematurely Before Validity Period Ends

Last updated