v0.0.0-...-75b20ab Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Aug 12, 2021 License: Apache-2.0




This project provides an auditing system for network policy-related, Kubernetes resources and Antrea specific CRDs, that tracks creations, updates, and deletions of these resources, stored as YAML files backed by a Git repository. The system also comes with a CLI for querying and filtering the repository for changes based onfilters like date range or service account responsible for those changes, as well as a tagging and rollback feature for reverting the cluster state if the current cluster state is undesirable. A webUI service is linked to the repository, allowing for easy visualization of the entire history of resource configurations.


Getting Started

Ensure kubectl is running correctly prior to getting started. A label is used to specify the node to run all audit services on. The nodeAffinity field is used to schedule the Pods to the correct Node(s) and uses Node labels to determine them. The label can be applied with:

kubectl label nodes <node-name> audit=target

Run the following command on the Node that was just labelled to create the directory the repository will be stored in:

mkdir -p /data/antrea-audit

Connect to the control Node and copy audit-policy.yaml and audit-config.yaml to /etc/kubernetes/addons. If this directory does not exist, create it with:

mkdir -p /etc/kubernetes/addons

Modify the kube-apiserver.yaml manifest by adding the following lines to the manifest:

  - command
    - kube-apiserver
    - --audit-policy-file=/etc/kubernetes/addons/audit-policy.yaml
    - --audit-webhook-config-file=/etc/kubernetes/addons/audit-config.yaml
    - mountPath: /etc/kubernetes/addons/audit-policy.yaml
      name: audit-policy
      readOnly: true
    - mountPath: /etc/kubernetes/addons/audit-config.yaml
      name: audit-config
      readOnly: true
  - hostPath:
      path: /etc/kubernetes/addons/audit-policy.yaml
      type: File
    name: audit-policy
  - hostPath:
      path: /etc/kubernetes/addons/audit-config.yaml
      type: File
    name: audit-config

Exit the control Node. To deploy the most recent version of resource-auditing, use the checked in deployment yaml:

kubectl apply -f


The Antrea community welcomes new contributors. We are waiting for your PRs!


Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL