search

FairwindsOps / pentagon

A framework for building repeatable, containerized, cloud-based infrastructure as code with Kubernetes.
https://www.reactiveops.com
Apache License 2.0
183 stars 25 forks source link

WIP: Release/2.7.0 #158

Closed ejether closed 5 years ago

ejether commented 5 years ago

This one turned into a bit of a monster since we were missing several migrations from small changes.

ivanfetch commented 5 years ago

The fileAssets -> auditPolicyFile is migrated to formatting with \n newlines instead of reflecting YAML in cluster.yml. For example:

  fileAssets:
  - name: auditPolicyFile
    path: /srv/kubernetes/audit.yaml
    roles:
    - Master
    content: "apiVersion: audit.k8s.io/v1beta1\nkind: Policy\nrules:\n  # The following\
      \ requests were manually identified as high-volume and low-risk,\n  # so drop\
      \ them.\n  - level: None\n    users: [\"system:kube-proxy\"]\n    verbs: [\"\

Is it possible to retain formatting which will make it nicer to edit the audit policy in the future? For example:

  fileAssets:
  - name: auditPolicyFile
    path: /srv/kubernetes/audit.yaml
    roles: [Master]
    content: |
      apiVersion: audit.k8s.io/v1beta1
      kind: Policy
      rules:
        # The following requests were manually identified as high-volume and low-risk,
        # so drop them.
        - level: None
          users: ["system:kube-proxy"]
          verbs: ["watch"]
ejether commented 5 years ago

Good spot. I missed that when testing. Yes, I can make it format as you pointed out. Should that fileAssets block be part of the upgrade standard? Its not currently in our default spec.

ivanfetch commented 5 years ago

RE: whether the fileAssets block should be part of the upgrade standard, which upgrade are you asking about, beyond the one done by a Pentagon migration?

ejether commented 5 years ago

Yes. I wondering if that block should be our standard audit configuration. It looks like a good improvement over defaults. We can add it to Pentagon as our defaults and add it to the migration so all current repos get the same configuration when we turn on audit logging in this migration.

ivanfetch commented 5 years ago

EJ and I talked offline and confirmed this audit log config is already part of the Pentagon defaults - something Rob added earlier.

ejether commented 5 years ago

With improvements from @sudermanjr , this closes #146