Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport release-1.25] When specifying a profile, audit-log-path is not longer passed as an argument. #4442

Closed
rancherbot opened this issue Jul 7, 2023 · 1 comment
Closed

[Backport release-1.25] When specifying a profile, audit-log-path is not longer passed as an argument. #4442

rancherbot opened this issue Jul 7, 2023 · 1 comment
Assignees
@brandond @fmoral2 @endawkins
Milestone
v1.25.12+rke2r1

Comments

@rancherbot
Copy link
Collaborator

This is a backport issue for #4415, automatically created via rancherbot by @brandond

Original issue description:

Environmental Info:
RKE2 Version:
v1.25.10+rke2r1, v1.26.5+rke2r1, v1.27.2+rke2r1

Node(s) CPU architecture, OS, and Version:
RHEL 7,8,9

Cluster Configuration:
1 node

Describe the bug:
If the profile is set in the config.yaml, the audit-log-path is not longer set.

Steps To Reproduce:

  • Installed RKE2:

~]# echo "profile: cis-1.23" > /etc/rancher/rke2/config.yaml

Expected behavior:
The audit-log-path is set per the profile flag.

root 24317 6.0 4.8 1255964 391944 ? Ssl 14:13 2:55 \_ kube-apiserver --admission-control-config-file=/etc/rancher/rke2/rke2-pss.yaml --audit-log-path=/var/lib/rancher/rke2/server/logs/audit.log --audit-policy-file=/etc/rancher/rke2/audi -policy.yaml --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100

Actual behavior:
The audit-log-path is no longer set

root 181256 20.9 5.8 1255624 464056 ? Ssl 17:18 0:34 \_ kube-apiserver --admission-control-config-file=/etc/rancher/rke2/rke2-pss.yaml --audit-policy-file=/etc/rancher/rke2/audit-policy.yaml --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100

Additional context / logs:
The other audit arguments are passed. It is just the path that is no longer there.
@rancherbot rancherbot added this to the v1.25.12+rke2r1 milestone Jul 7, 2023
@brandond brandond mentioned this issue Jul 8, 2023
Merged
@fmoral2 fmoral2 self-assigned this Jul 18, 2023
@fmoral2
Copy link
Contributor

fmoral2 commented Jul 19, 2023

Validated on Version:

-$  rke2 version v1.26.6+dev.b99382e9 (b99382e9c9391d01c44cab3f86a940187326552d)

Environment Details

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:
Ubuntu 22.04

Cluster Configuration:
1 node cluster

Config.yaml:

token: secret
write-kubeconfig-mode: 644
profile: cis-1.23
debug: true

Steps to validate the fix

1.Install rke2 with commit id
2.Run cis commands
3.Validate if in the kube api server pod has the audit log path

Validation results

Install:

$ curl -sfL https://get.rke2.io | sudo INSTALL_RKE2_COMMIT=cc87f300a42060b37fd89f7a034b5485b8a758cc INSTALL_RKE2_TYPE=server sh -


$ rke2 -v
rke2 version v1.25.11-dev+cc87f300 (cc87f300a42060b37fd89f7a034b5485b8a758cc)


$sudo cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf && \
sudo systemctl restart systemd-sysctl && \
sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U


$ kubectl get pod -o yaml -n kube-system kube-apiserver-ip-172-31-19-141 | grep  "audit-log-path=/var/lib/rancher/rke2/server/logs/audit.log"
- --audit-log-path=/var/lib/rancher/rke2/server/logs/audit.log

@fmoral2 fmoral2 closed this as completed Jul 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@fmoral2 fmoral2

@endawkins endawkins

Labels
None yet
Projects
None yet
Milestone
v1.25.12+rke2r1
Development

No branches or pull requests
4 participants
@brandond @rancherbot @fmoral2 @endawkins