Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
394 stars 85 forks source link

Collect platform logs for AKS clusters #922

Closed BernieWhite closed 3 years ago

BernieWhite commented 3 years ago

Rule request

Suggested rule change

Enable capture of platform diagnostics logs.

Platform monitoring Collect resource logs

Applies to the following

The rule applies to the following:

Related to #882

ArmaanMcleod commented 3 years ago

@BernieWhite Should we call this rule Azure.AKS.PlatformLogs to be more explicit? Or do you think Azure.AKS.Logs is fine.

Also just checking if we would cover all these log categories which are not included in Azure.AKS.AuditLogs:

And metric:s

BernieWhite commented 3 years ago

@ArmaanMcleod Make sense to me, that is the recommended starting point.

You could make it configurable. Some of these logs are considerable it's fairly likely that some customers would want to be selective about the list.

ArmaanMcleod commented 3 years ago

@BernieWhite No worries.

I can probably create a configuration like this to enable/disable the catogories inside the rule:

AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES = @{
        Logs = @{
            'cluster-autoscaler' = $True
            'kube-apiserver' = $True
            'kube-controller-manager' = $True
            'kube-scheduler' = $True
        }
        Metrics = @{
            'AllMetrics' = $True
        }
    }

Which would map to this in YAML:

# YAML: The default AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES configuration option
configuration:
  AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES:
    logs:
      cluster-autoscaler: true
      kube-apiserver: true
      kube-controller-manager: true
      kube-scheduler: true
    metrics:
      AllMetrics: true

Happy to change this format or option name if you want 🙂.

Was considering making an inner enabled key to make this more clearer and match the template structure 🤔 . Seemed cleaner though to just assign a boolean with key value pairs like above.

BernieWhite commented 3 years ago

@ArmaanMcleod You could try it as an array of categories using GetStringValues. That might be slightly cleaner to configure.

https://github.com/microsoft/PSRule/blob/main/docs/concepts/PSRule/en-US/about_PSRule_Variables.md#configuration

https://github.com/microsoft/PSRule.Rules.CAF/blob/main/src/PSRule.Rules.CAF/rules/Baseline.Rule.yaml