Support for live audit data (and misc changes)

In order to see live changes to the kube-apiserver-audit.log file, I mounted a volume with the File that is constantly being updates by Kubernetes, upon changes to a custom resource. Furthermore, to support live audit data, I made changes so that the project can be run on minikube. However, since minikube does not officially support audit logging, I am using a sample minikube audit log that I have generated using a Postgres custom resource and applying a few functions to generate the log. Now, the project continuously rebuilds its provenance history when it is on Kubernetes but not minikube since auditing is not supported(it doesn'nt need torebuild). To check if I am on minikube or kubernetes I use status.hostIP in rc.yaml.
djarotech · Sep 10, 2018 · 021fec2 · 021fec2
1 parent 4456088
commit 021fec2
Show file tree

Hide file tree

Showing 8 changed files with 159 additions and 111 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/README.md b/README.md
@@ -40,7 +40,7 @@ Steps to Run Kubernetes Local Cluster on a GCE or AWS instance (or any node), co
 Reference: https://dzone.com/articles/easy-step-by-step-local-kubernetes-source-code-cha<br/>
 ssh to your VM <br/>
 sudo su - <br/>
-apt-get install -y gcc make socat git<br/>
+apt-get install -y gcc make socat git wget<br/>
 
 **2. Install Golang 1.10.3:** <br/>
 wget https://dl.google.com/go/go1.10.3.linux-amd64.tar.gz <br/>
@@ -76,6 +76,7 @@ Kubernetes master is running at http://127.0.0.1:8080 # => works! <br/>
 Add $GOPATH/src/k8s.io/kubernetes/cluster to PATH: <br/>
 
 export PATH=$PATH:$GOPATH/src/k8s.io/kubernetes/cluster <br/>
+
 Now, Commands look like kubectl.sh get pods instead of kubectl get pods...
 
 **7. Enabling auditing:**
@@ -136,11 +137,10 @@ curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh <br/>
 Move dep executable to somewhere on your $PATH
 dep version //to verify that it is installed correctly
 
-git clone https://github.com/cloud-ark/kubeprovenance.git $GOPATH/src/github.com/cloud-ark<br/>
-cd $GOPATH/src/github.com/cloud-ark/kubeprovenance <br/>
+go get github.com/cloud-ark/kubeprovenance <br/>
 dep ensure -v <br/>
 
-Make sure kubernetes is running:
+Make sure kubernetes is running:<br/>
 $ kubectl.sh cluster-info
 
 Now to deploy this aggregated api server use these commands:

diff --git a/artifacts/example/rc.yaml b/artifacts/example/rc.yaml
@@ -23,12 +23,22 @@ spec:
         volumeMounts:
         - name: kind-compositions-volume
           mountPath: /etc/kubeprovenance
+        - mountPath: /tmp/kube-apiserver-audit.log
+          name: audit-log
         env:
         - name: KIND_COMPOSITION_FILE
           value: /etc/kubeprovenance/kind_compositions.yaml
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
       - name: etcd
         image: quay.io/coreos/etcd:v3.2.18
       volumes:
         - name: kind-compositions-volume
           configMap:
             name: kind-compositions-config-map
+        - name: audit-log
+          hostPath:
+            path: /tmp/kube-apiserver-audit.log
+            type: FileOrCreate
diff --git a/artifacts/simple-image/Dockerfile b/artifacts/simple-image/Dockerfile
@@ -15,5 +15,5 @@
 FROM fedora
 RUN mkdir -p /tmp/
 ADD kube-provenance-apiserver /
-ADD kube-apiserver-audit.log /tmp/
+ADD minikube-sample-audit.log /tmp/
 ENTRYPOINT ["/kube-provenance-apiserver"]
diff --git a/...cts/simple-image/kube-apiserver-audit.log → ...ts/simple-image/minikube-sample-audit.log b/...cts/simple-image/kube-apiserver-audit.log → ...ts/simple-image/minikube-sample-audit.log
diff --git a/delete-provenance-artifacts.sh b/delete-provenance-artifacts.sh
@@ -1,19 +1,17 @@
 #!/bin/bash
 
-#export GOOS=linux; go build .
-#cp kubeprovenance ./artifacts/simple-image/kube-provenance-apiserver
-#docker build -t kube-provenance-apiserver:latest ./artifacts/simple-image
+#kubernetes/cluster/kubectl.sh should be in your PATH env var
+#for kubernetes local installation uncomment these:
+#kubectl.sh delete ns provenance
+#kubectl.sh delete -f artifacts/example/auth-delegator.yaml -n kube-system
+#kubectl.sh delete -f artifacts/example/auth-reader.yaml -n kube-system
+#kubectl.sh delete -f artifacts/example/apiservice.yaml
+#kubectl.sh delete -f artifacts/example/grant-cluster-admin.yaml
 
-#cluster/kubectl.sh should be in your PATH env var
-kubectl.sh delete ns provenance
-kubectl.sh delete -f artifacts/example/auth-delegator.yaml -n kube-system
-kubectl.sh delete -f artifacts/example/auth-reader.yaml -n kube-system
-kubectl.sh delete -f artifacts/example/apiservice.yaml
-kubectl.sh delete -f artifacts/example/grant-cluster-admin.yaml
 #FOR MINIKUBE UNCOMMENT THESE:
-#kubectl delete ns provenance
-#kubectl delete -f artifacts/example/auth-delegator.yaml -n kube-system
-#kubectl delete -f artifacts/example/auth-reader.yaml -n kube-system
-#kubectl delete -f artifacts/example/apiservice.yaml
-#kubectl delete -f artifacts/example/grant-cluster-admin.yaml
+kubectl delete ns provenance
+kubectl delete -f artifacts/example/auth-delegator.yaml -n kube-system
+kubectl delete -f artifacts/example/auth-reader.yaml -n kube-system
+kubectl delete -f artifacts/example/apiservice.yaml
+kubectl delete -f artifacts/example/grant-cluster-admin.yaml
 
diff --git a/deploy-provenance-artifacts.sh b/deploy-provenance-artifacts.sh
@@ -1,22 +1,22 @@
 #!/bin/bash
 
-kubectl.sh create -f artifacts/example/ns.yaml
-kubectl.sh create configmap -n provenance kind-compositions-config-map --from-file=kind_compositions.yaml
-kubectl.sh create -f artifacts/example/sa.yaml -n provenance
-kubectl.sh create -f artifacts/example/auth-delegator.yaml -n kube-system
-kubectl.sh create -f artifacts/example/auth-reader.yaml -n kube-system
-kubectl.sh create -f artifacts/example/grant-cluster-admin.yaml
-kubectl.sh create -f artifacts/example/rc.yaml -n provenance
-kubectl.sh create -f artifacts/example/service.yaml -n provenance
-kubectl.sh create -f artifacts/example/apiservice.yaml
+#kubectl.sh create -f artifacts/example/ns.yaml
+#kubectl.sh create configmap -n provenance kind-compositions-config-map --from-file=kind_compositions.yaml
+#kubectl.sh create -f artifacts/example/sa.yaml -n provenance
+#kubectl.sh create -f artifacts/example/auth-delegator.yaml -n kube-system
+#kubectl.sh create -f artifacts/example/auth-reader.yaml -n kube-system
+#kubectl.sh create -f artifacts/example/grant-cluster-admin.yaml
+#kubectl.sh create -f artifacts/example/rc.yaml -n provenance
+#kubectl.sh create -f artifacts/example/service.yaml -n provenance
+#kubectl.sh create -f artifacts/example/apiservice.yaml
 #FOR MINIKUBE UNCOMMENT THESE: todo: code to automate this
-#kubectl create -f artifacts/example/ns.yaml
-#kubectl create configmap -n provenance kind-compositions-config-map --from-file=kind_compositions.yaml
-#kubectl create -f artifacts/example/sa.yaml -n provenance
-#kubectl create -f artifacts/example/auth-delegator.yaml -n kube-system
-#kubectl create -f artifacts/example/auth-reader.yaml -n kube-system
-#kubectl create -f artifacts/example/grant-cluster-admin.yaml
-#kubectl create -f artifacts/example/rc.yaml -n provenance
-#kubectl create -f artifacts/example/service.yaml -n provenance
-#kubectl create -f artifacts/example/apiservice.yaml
+kubectl create -f artifacts/example/ns.yaml
+kubectl create configmap -n provenance kind-compositions-config-map --from-file=kind_compositions.yaml
+kubectl create -f artifacts/example/sa.yaml -n provenance
+kubectl create -f artifacts/example/auth-delegator.yaml -n kube-system
+kubectl create -f artifacts/example/auth-reader.yaml -n kube-system
+kubectl create -f artifacts/example/grant-cluster-admin.yaml
+kubectl create -f artifacts/example/rc.yaml -n provenance
+kubectl create -f artifacts/example/service.yaml -n provenance
+kubectl create -f artifacts/example/apiservice.yaml