Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update cos-auditd-logging.yaml to replace fluent-bit image #53

Merged
merged 2 commits into from
Dec 16, 2024
Merged

Update cos-auditd-logging.yaml to replace fluent-bit image #53

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e25b6fe
Update cos-auditd-logging.yaml
baizhenyu Dec 3, 2024
a142cc7
Update cos-auditd-logging.yaml
baizhenyu Dec 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions os-audit/cos-auditd-logging.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,8 @@ spec:
value: "$CLUSTER_NAME"
- name: CLUSTER_LOCATION
value: "$CLUSTER_LOCATION"
image: gke.gcr.io/fluent-bit@sha256:b148f7f960f101b6d52efd909fe43fef73cb40cee3571da61034974965605b66 # v1.8.12-gke.31
# This image is used for demo purposes. The best practice is to use the image from controlled registry and reference it by SHA.
image: fluent/fluent-bit:latest
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it a good practice to use latest and suggest to use one from dockerhub?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I discussed internally with my teammates and we believe there is no harm for the cx to use OSS version of image in this particular case since we only provide an example to setup audit logging in COS.

Regarding using latest, the purpose is to reduce potential cx tickets due to mismatched version of libsystemd used to compile fluent-bit and the one used in COS. We agree that it will break at some point (e.g fluent-bit change config format etc) but it is fine to update this file again later.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We discussed internally and we support this solution in a "best effort" way and would like to highlight that this is a solution depending on OSS tool - hence suggesting use the latest dockerhub image.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a comment above this line suggesting to change it. Something like:

Suggested change
image: fluent/fluent-bit:latest
# this image is used for demo purposes. The best practice is to use the image from controlled registry and reference it by SHA.
image: fluent/fluent-bit:latest

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extra credit for mentioning this in the docs: https://cloud.google.com/kubernetes-engine/docs/how-to/linux-auditd-logging as well

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The notes have been added and we will update the public doc later.

imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
Expand Down Expand Up @@ -155,8 +156,6 @@ data:
Systemd_Filter SYSLOG_IDENTIFIER=audit
Path /var/log/journal
DB /var/lib/cos-auditd-fluent-bit/pos-files/audit.db
Buffer_Max_Size 20MB
baizhenyu marked this conversation as resolved.
Show resolved Hide resolved
Mem_Buf_Limit 20MB

[FILTER]
# https://docs.fluentbit.io/manual/pipeline/filters/modify
Expand Down