Enabling Kubernetes API Server audit logs for CIS hardening

[mysticaltech]

Discussed in #1610

^{Originally posted by janosmiko January 9, 2025}
To enable Kubernetes API server audit logs (or Pod Security Admission configuration), you'll need to add a policy file to the servers. Source

/var/lib/rancher/k3s/server/audit.yaml

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

And pass some args to the kube-api-server:

kube-apiserver-arg:
  - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
  - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'
  - 'audit-log-maxage=30'
  - 'audit-log-maxbackup=10'
  - 'audit-log-maxsize=100'

I know it's possible to add files to the servers using cloud init (cloudinit_write_files_common), but I assume this would only work for new servers and not already existing ones.

What would be the best practice to copy various files to all nodes (even existing ones)?

Also, did I understand correctly, currently it's not possible to override the kube_apiserver_args because of this line?

terraform-hcloud-kube-hetzner/locals.tf

Line 437 in 163d50c

kube_apiserver_arg = var.authentication_config != "" ? ["authentication-config=/etc/rancher/k3s/authentication_config.yaml"] : []

I'm open to prepare a PR to solve this, just wanted to do some in-advance discovery on how it should be implemented.