-
Notifications
You must be signed in to change notification settings - Fork 0
How to deploy MinIO in Openshift with Audit Log
Cesar Celis Hernandez edited this page Nov 3, 2022
·
18 revisions
- Assuming Operator is already deployed:
- Create the tenant:
-
Disable TLS
-
Disable Prometheus:
- Start Addressing
securityContext
issues:
- Under the name of the pool I will place an empty
securityContext
:
pools:
- affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: v1.min.io/tenant
operator: In
values:
- thunov3629pm
- key: v1.min.io/pool
operator: In
values:
- pool-0
topologyKey: kubernetes.io/hostname
name: pool-0
securityContext: {}
- Bound the PV with the PVC using the Storage Class defined:
spec:
storageClassName: cesar
- Fix Audit Logs:
log:
audit:
diskCapacityGB: 5
db:
resources: {}
securityContext:
fsGroup: 1000660000
fsGroupChangePolicy: Always
runAsGroup: 1000660000
runAsNonRoot: true
runAsUser: 1000660000
volumeClaimTemplate:
metadata:
creationTimestamp: null
name: thunov3629pm-log
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "5368709120"
status: {}
resources: {}
securityContext:
fsGroup: 1000660000
fsGroupChangePolicy: Always
runAsGroup: 1000660000
runAsNonRoot: true
runAsUser: 1000660000
- For below we need a
serviceAccountName: minio-operator
with granted permissions because we can't change that context since is implemented by the operator code and tenant is not exposing this one:
log:
audit:
diskCapacityGB: 5
db:
resources: {}
serviceAccountName: minio-operator
securityContext:
fsGroup: 1000660000
fsGroupChangePolicy: Always
runAsGroup: 1000660000
runAsNonRoot: true
runAsUser: 1000660000
oc create serviceaccount minio-operator -n thunov3629pm
oc adm policy add-scc-to-user privileged -n thunov3629pm -z minio-operator
- Wait some time and DB will be reached:
- 3 pods running, 2 for logs and 1 for Minio:
- Tenant ready:
- Console Accesible:
- Access those logs:
https://github.com/minio/operator/blob/master/logsearchapi/README.md
- Access:
$ psql -U postgres
psql (13.8 (Debian 13.8-1.pgdg110+1))
Type "help" for help.
postgres=#
postgres=#
postgres=#
- List dbs:
postgres=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
------------+----------+----------+------------+------------+-----------------------
minio_logs | postgres | UTF8 | en_US.utf8 | en_US.utf8 |
postgres | postgres | UTF8 | en_US.utf8 | en_US.utf8 |
template0 | postgres | UTF8 | en_US.utf8 | en_US.utf8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.utf8 | en_US.utf8 | =c/postgres +
| | | | | postgres=CTc/postgres
(4 rows)
- Connect to DB:
postgres=# \connect minio_logs
You are now connected to database "minio_logs" as user "postgres".
- List all tables:
minio_logs=# \dt
List of relations
Schema | Name | Type | Owner
--------+-----------------------------+-------------------+----------
public | audit_log_events | partitioned table | postgres
public | audit_log_events_2022_10_25 | table | postgres
public | audit_log_events_2022_11_01 | table | postgres
public | audit_log_events_2022_11_09 | table | postgres
public | request_info | partitioned table | postgres
public | request_info_2022_10_25 | table | postgres
public | request_info_2022_11_01 | table | postgres
public | request_info_2022_11_09 | table | postgres
(8 rows)
- See the logs:
minio_logs=# select * from audit_log_events limit 1;
event_time |
log
-------------------------------+--------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
2022-11-03 08:10:29.304667+00 | {"api": {"name": "SetConfigKV", "status": "OK", "accessKey": "CPTT25Z5ML2T2JPD", "statusCode": 200, "timeToRe
sponse": 137173542}, "time": "2022-11-03T08:10:29.304666745Z", "version": "1", "requestID": "172404CA59A00D54", "userAgent": "MinIO (linux; ar
m64) madmin-go/0.0.1", "remotehost": "10.217.1.108", "deploymentid": "46257f3a-fb33-4396-b580-38ea6823045c", "requestHeader": {"User-Agent": "
MinIO (linux; arm64) madmin-go/0.0.1", "X-Amz-Date": "20221103T081029Z", "Authorization": "AWS4-HMAC-SHA256 Credential=CPTT25Z5ML2T2JPD/202211
03//s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=14a39f307ad880593314c24ff9a7d0c30ffc4d7f14f8204de40d03d59b8
f9796", "Content-Length": "242", "X-Amz-Content-Sha256": "a82b1265768167dc603ed8aa8551a2394860c012c4abb3222ca9309e7df1dc67"}, "responseHeader"
: {"Vary": "Origin,Accept-Encoding", "Server": "MinIO", "Accept-Ranges": "bytes", "Content-Length": "0", "X-Amz-Request-Id": "172404CA59A00D54
", "X-Xss-Protection": "1; mode=block", "X-Content-Type-Options": "nosniff", "X-Minio-Config-Applied": "true", "Content-Security-Policy": "blo
ck-all-mixed-content", "Strict-Transport-Security": "max-age=31536000; includeSubDomains"}}
(1 row)