Deckhouse Kubernetes Platform (DKP) supports integration with Kaspersky Unified Monitoring and Analysis Platform (KUMA), a unified monitoring and analysis system by Kaspersky Lab. As part of the integration, security events and audit logs from the cluster are sent to KUMA for further analysis.
Sending logs to KUMA
To send logs to KUMA, configure log collection and delivery in DKP using the following resources:
- ClusterLogDestination: Defines log storage parameters.
- ClusterLoggingConfig: Defines cluster log collection parameters.
On the KUMA side, configure the appropriate resources for receiving events.
Example ClusterLogDestination and ClusterLoggingConfig configurations
-
Sending logs in JSON format over UDP:
apiVersion: deckhouse.io/v1alpha1 kind: ClusterLogDestination metadata: name: kuma-udp-json spec: type: Socket socket: address: IP_ADDRESS:PORT # Replace as needed. mode: UDP encoding: codec: "JSON" --- apiVersion: deckhouse.io/v1alpha2 kind: ClusterLoggingConfig metadata: name: kubelet-audit-logs spec: type: File file: include: - /var/log/kube-audit/audit.log destinationRefs: - kuma-udp-json
-
Sending logs in JSON format over TCP:
apiVersion: deckhouse.io/v1alpha1 kind: ClusterLogDestination metadata: name: kuma-tcp-json spec: type: Socket socket: address: IP_ADDRESS:PORT # Replace as needed. mode: TCP tcp: verifyCertificate: false verifyHostname: false encoding: codec: "JSON" --- apiVersion: deckhouse.io/v1alpha2 kind: ClusterLoggingConfig metadata: name: kubelet-audit-logs spec: type: File file: include: - /var/log/kube-audit/audit.log destinationRefs: - kuma-tcp-json
-
Sending logs in CEF format over TCP:
apiVersion: deckhouse.io/v1alpha1 kind: ClusterLogDestination metadata: name: kuma-tcp-cef spec: type: Socket socket: extraLabels: cef.name: d8 cef.severity: "1" address: IP_ADDRESS:PORT # Replace as needed. mode: TCP tcp: verifyCertificate: false verifyHostname: false encoding: codec: "CEF" --- apiVersion: deckhouse.io/v1alpha2 kind: ClusterLoggingConfig metadata: name: kubelet-audit-logs spec: type: File file: include: - /var/log/kube-audit/audit.log logFilter: - field: userAgent operator: Regex values: [ "kubelet.*" ] destinationRefs: - kuma-tcp-cef
-
Sending logs in Syslog format over TCP:
apiVersion: deckhouse.io/v1alpha1 kind: ClusterLogDestination metadata: name: kuma-tcp-syslog spec: type: Socket socket: address: IP_ADDRESS:PORT # Replace as needed. mode: TCP tcp: verifyCertificate: false verifyHostname: false encoding: codec: "Syslog" --- apiVersion: deckhouse.io/v1alpha2 kind: ClusterLoggingConfig metadata: name: kubelet-audit-logs spec: type: File file: include: - /var/log/kube-audit/audit.log logFilter: - field: userAgent operator: Regex values: [ "kubelet.*" ] destinationRefs: - kuma-tcp-syslog
-
Sending logs to Apache Kafka:
apiVersion: deckhouse.io/v1alpha1 kind: ClusterLogDestination metadata: name: kuma-kafka spec: type: Kafka kafka: bootstrapServers: - kafka-address:9092 # Replace as needed. topic: k8s-logs --- apiVersion: deckhouse.io/v1alpha2 kind: ClusterLoggingConfig metadata: name: kubelet-audit-logs spec: destinationRefs: - kuma-kafka file: include: - /var/log/kube-audit/audit.log logFilter: - field: userAgent operator: Regex values: - kubelet.* type: File
Antivirus scanning exclusions for nodes
If antivirus software is installed on DKP cluster nodes (for example, Kaspersky Endpoint Security for Linux, KESL), you may need to exclude Deckhouse service directories from scanning to avoid false positives.
List of Deckhouse service directories (also available CSV format):
Directory | Purpose |
---|---|
/etc/cni/ (any node) |
CNI module configuration files |
/etc/kubernetes (any node) |
Static pod manifests, PKI certificate files |
/mnt/kubernetes-data (master node) |
Only present in clusters deployed in the cloud when a separate disk is used for the etcd database |
/mnt/vector-data (any node, log-shipper module) |
Service data for log delivery status |
/opt/cni/bin/ (any node) |
CNI module executables |
/opt/deckhouse/bin/ (any node) |
Executables required for Deckhouse operation |
/var/lib/bashible (any node) |
Node configuration files |
/var/lib/containerd (any node) |
Stores CRI-related data (for example, containerd). Contains container image layers, filesystem snapshots, metadata, logs, and other container information |
/var/lib/deckhouse/ (master node) |
Deckhouse module files dynamically loaded from the image registry |
/var/lib/etcd (master node) |
etcd database |
/var/lib/kubelet/ (any node) |
kubelet configuration files |
/var/lib/upmeter (master node, upmeter module) |
upmeter module database |
/var/log/containers (any node) |
Container logs (when using containerd) |
/var/log/pods/ (any node) |
Logs of all pod containers running on the node |
KESL configuration recommendations
To ensure DKP functions correctly with KESL installed, follow these steps:
-
Disable the following KESL tasks:
Firewall Management (ID: 12)
Web Threat Protection (ID: 14)
Network Threat Protection (ID: 17)
Web Control (ID: 26)
The list of tasks may differ in future KESL versions.
-
Make sure node resources meet the requirements of:
-
For performance optimization, follow the official Kaspersky recommendations.