ENABLE_APISERVER_BASIC_AUDIT configuration out of date

With 1.8, advanced auditing is enabled by default. This means that the `ENABLE_APISERVER_BASIC_AUDIT` flag is no longer accurate:
https://github.com/kubernetes/kubernetes/blob/e33dd983ed75d15245534c87ddaf843aa617638a/cluster/gce/gci/configure-helper.sh#L1355-L1368
It will no longer enable audit logging (due to lack of a policy file), and would not be "basic" auditing.

This flag should either be removed, or explicitly disable the `AdvancedAuditing` feature gate.

**NOTE**: I'm putting this in the 1.8 release because I think it should be cherrypicked in a patch release, but this is NOT a release blocker.

	if [[ "${ENABLE_APISERVER_BASIC_AUDIT:-}" == "true" ]]; then
	# We currently only support enabling with a fixed path and with built-in log
	# rotation "disabled" (large value) so it behaves like kube-apiserver.log.
	# External log rotation should be set up the same as for kube-apiserver.log.
	params+=" --audit-log-path=/var/log/kube-apiserver-audit.log"
	params+=" --audit-log-maxage=0"
	params+=" --audit-log-maxbackup=0"
	# Lumberjack doesn't offer any way to disable size-based rotation. It also
	# has an in-memory counter that doesn't notice if you truncate the file.
	# 2000000000 (in MiB) is a large number that fits in 31 bits. If the log
	# grows at 10MiB/s (~30K QPS), it will rotate after ~6 years if apiserver
	# never restarts. Please manually restart apiserver before this time.
	params+=" --audit-log-maxsize=2000000000"
	elif [[ "${ENABLE_APISERVER_ADVANCED_AUDIT:-}" == "true" ]]; then

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ENABLE_APISERVER_BASIC_AUDIT configuration out of date #53154

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development