search

open-policy-agent / gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes
https://open-policy-agent.github.io/gatekeeper/
Apache License 2.0
3.63k stars 744 forks source link

Audit logs to file #1532

Closed anvpetrov closed 1 year ago

anvpetrov commented 3 years ago

We wont to redirect audit logs to file, but all args that we found not working.

Environment: DEV

args:

maxsmythe commented 3 years ago

Is it that you want to explicitly redirect audit logs to a file and avoid comingling them with other logs, or you want to redirect all pod logs to a file?

If the latter, are you able to use one of the general solutions outlined in the K8s docs here?

https://kubernetes.io/docs/concepts/cluster-administration/logging/#cluster-level-logging-architectures

anvpetrov commented 3 years ago

We want to redirect all logs , this is not so important in this case. I want to attach fluentbit sidecar and send logs to grafana loki.

There is no general logging in our clusters because they are multi tenant. In gatekeeper binary help there are some keys for log redirect (log_dir , alsologtostderr and etc). Why don't they work?

maxsmythe commented 3 years ago

Those flags are used by the glog package, which some dependencies use, but gatekeeper does not.

It looks llke the logging package's default is to write to stderr:

https://github.com/kubernetes-sigs/controller-runtime/blob/386c2b5b29bace1e1e0b35afd0f6c1acc38cd140/pkg/log/zap/zap.go#L58-L64

K8s does take these stdout/stderr logs and write them to a file. I'd suggest working with your cluster host to see if there is a way to access this file, as that's probably the simplest approach, otherwise you may be on the hook for things like log rotation.

Are you able to redirect the output to a file using a trick like the following (modifying the command)?

https://stackoverflow.com/questions/54915956/kubernetes-mount-container-stdout-stderr-logs

You may want to redirect both stdout and stderr to make sure you have everything:

https://stackoverflow.com/questions/7526971/how-to-redirect-both-stdout-and-stderr-to-a-file

Note that if you do this, kubectl log wont work and you'll need to figure out log rotation (this would be true if you could write to a file directly as well).

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.