adds dynamic audit debug documentation

kubernetes · Aug 21, 2018 · f0a44ad · f0a44ad
1 parent f8e4d35
commit f0a44ad
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/content/en/docs/tasks/debug-application-cluster/audit.md b/content/en/docs/tasks/debug-application-cluster/audit.md
@@ -199,6 +199,47 @@ same format as described above to the aggregated apiserver and set up the log in
 to pick up audit logs. Different apiservers can have different audit configurations and different
 audit policies.
 
+## Dynamic Auditing
+
+Dynamic audit configuration is an alpha feature that allows you to configure audit backends as api 
+objects. 
+
+To configure the feature a number of api server flags must be set:
+- `--audit-dynamic-configuration` the primary switch, once the feature progresses to GA this will be 
+  the only flag needed
+- `--feature-gates=DynamicAuditing=true` Feature gate
+- `--runtime-config=audit.k8s.io/v1alpha1=true` Forces alpha version
+- `--storage-versions=audit.k8s.io/v1alpha1` Uses storage for alpha version
+
+Once configured, a backend can be provisioned:
+```yaml
+apiVersion: audit.k8s.io/v1beta1
+kind: AuditConfiguration
+metadata:
+  name: <name>
+policy:
+  rules:
+  - level: <level>
+  omitStages:
+  - stage: <stage>
+backend:
+  webhook:
+    initialBackoff: <10s>
+    throttleBurst: <15>
+    throttleEnabled: <true>
+    throttleQPS: <10>
+    clientConfig:
+      url: <backend url>
+      service:
+        name: <service name>
+        namespace: <service namespace>
+      caBundle: <ca bundle>
+```
+
+The full api defintion can be found in the [types](https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go). Multiple objects will exist as independent solutions. If the policy section is omitted the backend will resort to the static policy set by the apiserver flags if available. Dynamic policy will have no effect on backends configured from runtime flags. Administrators should be cognizant that allowing write access to this feature grants read access to all cluster data. Access should be regarded as a `cluster-admin` level privilege.
+
+
+
 ## Log Collector Examples
 
 ### Use fluentd to collect and distribute audit events from log file