The Kubernetes auditing feature allows you to track requests to the API server and analyze events occurring in the cluster. Auditing can be useful for troubleshooting unexpected behavior and for meeting security requirements.
Kubernetes supports audit configuration via the Audit policy mechanism,
which allows you to define logging rules for target operations.
By default, audit results are written to the /var/log/kube-audit/audit.log file.
Built-in audit policies
Deckhouse Virtualization Platform (DVP) configures a basic audit policy by default, which can be supplemented with custom rules.
This policy implements the following rules:
- Do not log frequent updates for
Endpoints,EndpointSlices, andEvents. - Do not log leader election operations on
Leaseresources. - Do not log cert-manager leader election ConfigMaps.
- Do not log VerticalPodAutoscalerCheckpoints resources.
- Do not log PATCH operations on
VerticalPodAutoscalerfrom recommender. - Do not log UpmeterHookProbes resources.
- Do not log any operations in
d8-upmeternamespace. - Do not log ingress-nginx leader election updates in ConfigMaps.
- Do not log dex health-check create/delete operations on
AuthRequestresources. - Log create and delete operations for Node resources with request/response payload.
- Log kubectl logs requests (pods/log) at Metadata level.
- Log create/update/patch/delete operations from system service accounts (
kube-system,d8-*). - Log create/update/patch/delete operations for Pod resources.
- Log create/update/patch/delete operations in system namespaces (
kube-system,d8-*). - Log all LIST operations in all namespaces.
- Log create and delete operations for ServiceAccount resources.
- Log create/update/delete/patch operations for Role and ClusterRole resources.
- Log create/update/delete operations for ClusterRoleBinding resources.
- Log attach and ephemeral container related pod subresource operations.
- Log creation of VirtualMachineOperation resources with request/response payload.
- Log create/update/patch/delete operations for virtualization.deckhouse.io resources.
- Log update/patch operations for internal virtualization subresources.
- Log GET operations for subresources.virtualization.deckhouse.io API group.
- Log create/update/patch/delete operations for
Podresources. - Log create/update/patch/delete operations in
d8-virtualizationnamespace. - Log create/update/patch/delete operations for ModuleConfig resources.
- Do not log requests from authenticated users.
- Log all remaining (unauthenticated) requests at Metadata level.
Detailed information about the rules and an example of the final policy are available in the control-plane-manager module documentation
These rules from the basic policy are enabled by default.
To disable them, set the basicAuditPolicyEnabled parameter to false.
Example:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: control-plane-manager
spec:
version: 1
settings:
apiserver:
auditPolicyEnabled: true
basicAuditPolicyEnabled: false
Configuring a custom audit policy
To create an advanced Kubernetes API audit policy, follow these steps:
-
Enable the
auditPolicyEnabledparameter in thecontrol-plane-managermodule configuration:apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: control-plane-manager spec: version: 1 settings: apiserver: auditPolicyEnabled: true -
Create the
kube-system/audit-policySecret containing the policy YAML file encoded in Base64:apiVersion: v1 kind: Secret metadata: name: audit-policy namespace: kube-system data: audit-policy.yaml: <Base64>Example
audit-policy.yamlcontent with a minimal working configuration:apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata omitStages: - RequestReceivedFor more information on possible contents of
audit-policy.yaml, refer to the following sources:
Working with the audit log file
On DVP master nodes, it is assumed that a log collection tool (log-shipper, promtail, or filebeat) is installed
to monitor the /var/log/kube-audit/audit.log file.
The log rotation settings for this file are predefined and cannot be changed:
- Maximum file size: 1000 MB.
- Maximum retention period: 30 days.
Depending on the policy configuration and the volume of requests to the API server, the number of log entries can be very large. In such cases, the retention period may be reduced to less than 30 minutes.
Unsupported options or typos in the configuration file may cause the API server to fail to start.
If the API server fails to start, take the following steps:
- Manually remove the
--audit-log-*parameters from the/etc/kubernetes/manifests/kube-apiserver.yamlmanifest. -
Restart the API server with the following command:
docker stop $(docker ps | grep kube-apiserver- | awk '{print $1}') # Alternative option (depending on the CRI in use). crictl stopp $(crictl pods --name=kube-apiserver -q) -
After restarting, fix the Secret or delete it with the following command:
d8 k -n kube-system delete secret audit-policy
Redirecting the audit log file to stdout
By default, the audit log is saved to the /var/log/kube-audit/audit.log file on master nodes.
If necessary, you can redirect its output to the kube-apiserver process stdout instead of a file
by setting the apiserver.auditLog.output parameter in the control-plane-manager module to Stdout:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: control-plane-manager
spec:
version: 1
settings:
apiserver:
auditPolicyEnabled: true
auditLog:
output: Stdout
In this case, the log will be available in the kube-apiserver container stdout.
Then, using the built-in DVP logging mechanism, you can configure log collection and forwarding to your own security system.