auditing.md

Auditing

• Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster.
• The cluster audits the activities generated by users, by applications that use the Kubernetes API, and by the control plane itself.

Enable Auditing with the Kubernetes cluster

• Capture all events for pods at RequestResponse level
• Capture delete events for secrets in prod namespace at Metadata level
• Define policy at /etc/kubernetes/audit-policy.yaml
• Log should be redirected to /var/log/kubernetes/audit/audit.log
• Maximum days to keep the logs is 30

show

Create the audit policy file

cat << EOF > /etc/kubernetes/audit-policy.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      resources: ["pods"]

  # Log secret delete events in prod namespaces at the Metadata level.
  - level: Metadata
    verbs: ["delete"]
    resources:
    - group: "" # core API group
      resources: ["secrets"]
    namespaces: ["prod"]
EOF

Backup the original file cp kube-apiserver.yaml kube-apiserver.yaml_org

Update the /etc/kubernetes/manifests/kube-apiserver.yaml to add audit configs and volume mounts.

- --audit-policy-file=/etc/kubernetes/audit-policy.yaml
- --audit-log-path=/var/log/kubernetes/audit/audit.log
- --audit-log-maxage=30

volumeMounts:
  - mountPath: /etc/kubernetes/audit-policy.yaml
    name: audit
    readOnly: true
  - mountPath: /var/log/kubernetes/audit/
    name: audit-log
    readOnly: false

volumes:
- name: audit
  hostPath:
    path: /etc/kubernetes/audit-policy.yaml
    type: File
- name: audit-log
  hostPath:
    path: /var/log/kubernetes/audit/
    type: DirectoryOrCreate

Check the /var/log/kubernetes/audit/audit.log for audit log entries