Deckhouse Kubernetes Platform (DKP) supports integration with Kaspersky Unified Monitoring and Analysis Platform (KUMA), a unified monitoring and analysis system by Kaspersky Lab. As part of the integration, security events and audit logs from the cluster are sent to KUMA for further analysis.

Sending logs to KUMA

To send logs to KUMA, configure log collection and delivery in DKP using the following resources:

On the KUMA side, configure the appropriate resources for receiving events.

Example ClusterLogDestination and ClusterLoggingConfig configurations

  • Sending logs in JSON format over UDP:

    apiVersion: deckhouse.io/v1alpha1
    kind: ClusterLogDestination
    metadata:
      name: kuma-udp-json
    spec:
      type: Socket
      socket:
        address: IP_ADDRESS:PORT # Replace as needed.
        mode: UDP
        encoding:
          codec: "JSON"
    ---
    apiVersion: deckhouse.io/v1alpha2
    kind: ClusterLoggingConfig
    metadata:
      name: kubelet-audit-logs
    spec:
      type: File
      file:
        include:
        - /var/log/kube-audit/audit.log
      destinationRefs:
        - kuma-udp-json
    
  • Sending logs in JSON format over TCP:

    apiVersion: deckhouse.io/v1alpha1
    kind: ClusterLogDestination
    metadata:
      name: kuma-tcp-json
    spec:
      type: Socket
      socket:
        address: IP_ADDRESS:PORT # Replace as needed.
        mode: TCP
        tcp:
          verifyCertificate: false
          verifyHostname: false
        encoding:
          codec: "JSON"
    ---
    apiVersion: deckhouse.io/v1alpha2
    kind: ClusterLoggingConfig
    metadata:
      name: kubelet-audit-logs
    spec:
      type: File
      file:
        include:
        - /var/log/kube-audit/audit.log
      destinationRefs:
        - kuma-tcp-json
    
  • Sending logs in CEF format over TCP:

    apiVersion: deckhouse.io/v1alpha1
    kind: ClusterLogDestination
    metadata:
      name: kuma-tcp-cef
    spec:
      type: Socket
      socket:
        extraLabels:
          cef.name: d8
          cef.severity: "1"
        address: IP_ADDRESS:PORT # Replace as needed.
        mode: TCP
        tcp:
          verifyCertificate: false
          verifyHostname: false
        encoding:
          codec: "CEF"
    ---
    apiVersion: deckhouse.io/v1alpha2
    kind: ClusterLoggingConfig
    metadata:
      name: kubelet-audit-logs
    spec:
      type: File
      file:
        include:
        - /var/log/kube-audit/audit.log
      logFilter:
        - field: userAgent
          operator: Regex
          values: [ "kubelet.*" ]
      destinationRefs:
        - kuma-tcp-cef
    
  • Sending logs in Syslog format over TCP:

    apiVersion: deckhouse.io/v1alpha1
    kind: ClusterLogDestination
    metadata:
      name: kuma-tcp-syslog
    spec:
      type: Socket
      socket:
        address: IP_ADDRESS:PORT # Replace as needed.
        mode: TCP
        tcp:
          verifyCertificate: false
          verifyHostname: false
        encoding:
          codec: "Syslog"
    ---
    apiVersion: deckhouse.io/v1alpha2
    kind: ClusterLoggingConfig
    metadata:
      name: kubelet-audit-logs
    spec:
      type: File
      file:
        include:
        - /var/log/kube-audit/audit.log
      logFilter:
        - field: userAgent
          operator: Regex
          values: [ "kubelet.*" ]
      destinationRefs:
        - kuma-tcp-syslog
    
  • Sending logs to Apache Kafka:

    apiVersion: deckhouse.io/v1alpha1
    kind: ClusterLogDestination
    metadata:
      name: kuma-kafka
    spec:
      type: Kafka
      kafka:
        bootstrapServers:
          - kafka-address:9092 # Replace as needed.
        topic: k8s-logs
    ---
    apiVersion: deckhouse.io/v1alpha2
    kind: ClusterLoggingConfig
    metadata:
      name: kubelet-audit-logs
    spec:
      destinationRefs:
        - kuma-kafka
      file:
        include:
          - /var/log/kube-audit/audit.log
      logFilter:
        - field: userAgent
          operator: Regex
          values:
            - kubelet.*
      type: File
    

Antivirus scanning exclusions for nodes

If antivirus software is installed on DKP cluster nodes (for example, Kaspersky Endpoint Security for Linux, KESL), you may need to exclude Deckhouse service directories from scanning to avoid false positives.

List of Deckhouse service directories (also available CSV format):

Directory Purpose
/etc/cni/ (any node) CNI module configuration files
/etc/kubernetes (any node) Static pod manifests, PKI certificate files
/mnt/kubernetes-data (master node) Only present in clusters deployed in the cloud when a separate disk is used for the etcd database
/mnt/vector-data (any node, log-shipper module) Service data for log delivery status
/opt/cni/bin/ (any node) CNI module executables
/opt/deckhouse/bin/ (any node) Executables required for Deckhouse operation
/var/lib/bashible (any node) Node configuration files
/var/lib/containerd (any node) Stores CRI-related data (for example, containerd). Contains container image layers, filesystem snapshots, metadata, logs, and other container information
/var/lib/deckhouse/ (master node) Deckhouse module files dynamically loaded from the image registry
/var/lib/etcd (master node) etcd database
/var/lib/kubelet/ (any node) kubelet configuration files
/var/lib/upmeter (master node, upmeter module) upmeter module database
/var/log/containers (any node) Container logs (when using containerd)
/var/log/pods/ (any node) Logs of all pod containers running on the node

KESL configuration recommendations

To ensure DKP functions correctly with KESL installed, follow these steps:

  1. Disable the following KESL tasks:

    • Firewall Management (ID: 12)
    • Web Threat Protection (ID: 14)
    • Network Threat Protection (ID: 17)
    • Web Control (ID: 26)

    The list of tasks may differ in future KESL versions.

  2. Make sure node resources meet the requirements of:

  3. For performance optimization, follow the official Kaspersky recommendations.