Exercise 5.5: Enabling API Server Auditing: mount audit.log file as FileOrCreate

dmsheiko

Hi,

In "Exercise 5.5: Enabling API Server Auditing" I can see that it's suggested to mount audit.log file as FileOrCreate.

    - --audit-log-maxbackup=2
    - --audit-log-maxsize=50
    - --audit-log-path=/var/log/audit.log
...
  - hostPath:
      path: /var/log/audit.log
      type: FileOrCreate
    name: audit-log

Does it make any sense? Once log file reached the size limit it remains unchanged. And in kube-apiserver log appear messages like

E0120 09:05:09.242149       1 metrics.go:110] Error in audit plugin 'log' affecting 1 audit events: can't rename log file: rename /var/log/audit.log /var/log/audit-2025-01-20T09-05-09.242.log: device or resource busy

Perhaps it makes more sense to mount host directory rather than file to let kube-apiserver roll the log

    volumeMounts:
    - mountPath: /var/log
      name: audit-log
      readOnly: false
...
  volumes:
  - hostPath:
      path: /var/log
      type: Directory
    name: audit-log

Regards,
Dmytro

chrispokorni

Hi @dmsheiko,

Agreed, that once a log limit is set, the logging mechanism stops recording new logs - so it does not make any sense.
However, in the training guide there is a statement acting as a clear warning about the audit log size. In addition, on the same page you may find described flags defining the audit file size, files count, files age, collectively defining the log file rotation mechanism. Thus the integrated audit file rotation mechanism can be closely managed by declaring these specific options.

Regards,
-Chris