AverageMarcus/dotfiles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Support audit policy when creating kind cluster

Browse Source 
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
This commit is contained in:
Marcus Noble 2024-03-04 15:17:22 +00:00
parent 028487c55a
commit b60bf05177
Signed by: AverageMarcus
GPG Key ID: B8F2DB8A7AEBAF78
1 changed files with 33 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
home/.bin/kind-create-cluster
View File

@ -16,6 +16,7 @@ VERSION="1.28.0@sha256:dad5a6238c5e41d7cac405fae3b5eda2ad1de6f1190fa8bfc64ff5bb8
NODES="2" NODES="2"
FEATURE_GATES="ValidatingAdmissionPolicy" FEATURE_GATES="ValidatingAdmissionPolicy"
RUNTIME_CONFIG="admissionregistration.k8s.io/v1beta1" RUNTIME_CONFIG="admissionregistration.k8s.io/v1beta1"
AUDIT_POLICY=""
print_usage() { print_usage() {
orange "kind-create-cluster - create a Kind cluster" orange "kind-create-cluster - create a Kind cluster"
@ -30,6 +31,7 @@ print_usage() {
echo "-n, --nodes the number of worker nodes (default: ${NODES})" echo "-n, --nodes the number of worker nodes (default: ${NODES})"
echo "-f, --feature-gates a comma seperated list of feature-gates to enable (default: ${FEATURE_GATES})" echo "-f, --feature-gates a comma seperated list of feature-gates to enable (default: ${FEATURE_GATES})"
echo "-r, --runtime-config a comma seperated list of API versions to enable (default: ${RUNTIME_CONFIG})" echo "-r, --runtime-config a comma seperated list of API versions to enable (default: ${RUNTIME_CONFIG})"
echo " --audit-policy a file containing the audit policy config"
} }
while test $# -gt 0; do while test $# -gt 0; do
@ -54,6 +56,11 @@ while test $# -gt 0; do
RUNTIME_CONFIG=$1 RUNTIME_CONFIG=$1
shift shift
;; ;;
--audit-policy)
shift
AUDIT_POLICY=$1
shift
;;
-h|--help) -h|--help)
print_usage print_usage
exit 0 exit 0
@ -73,9 +80,32 @@ function node() {
for ((i = 1 ; i <= $COUNT ; i++)); do for ((i = 1 ; i <= $COUNT ; i++)); do
echo "- role: ${TYPE}" echo "- role: ${TYPE}"
echo " image: kindest/node:${VERSION}" echo " image: kindest/node:${VERSION}"
# echo " labels:" if [[ "${AUDIT_POLICY}" != "" ]]; then
# echo " node-role.kubernetes.io/${TYPE}: ${TYPE}" if [[ "${TYPE}" == "control-plane" ]]; then
# echo " kubernetes.io/role: ${TYPE}" echo " kubeadmConfigPatches:"
echo " - |"
echo " kind: ClusterConfiguration"
echo " apiServer:"
echo " extraArgs:"
echo " audit-log-path: /var/log/kubernetes/kube-apiserver-audit.log"
echo " audit-policy-file: /etc/kubernetes/policies/audit-policy.yaml"
echo " extraVolumes:"
echo " - name: audit-policies"
echo " hostPath: /etc/kubernetes/policies"
echo " mountPath: /etc/kubernetes/policies"
echo " readOnly: true"
echo " pathType: "DirectoryOrCreate""
echo " - name: "audit-logs""
echo " hostPath: "/var/log/kubernetes""
echo " mountPath: "/var/log/kubernetes""
echo " readOnly: false"
echo " pathType: DirectoryOrCreate"
echo " extraMounts:"
echo " - hostPath: ${AUDIT_POLICY}"
echo " containerPath: /etc/kubernetes/policies/audit-policy.yaml"
echo " readOnly: true"
fi
fi
done done
} }