How to enable Kubernetes audit logs?

To enable Kubernetes audit logs, you need to configure the Kubernetes API server with the appropriate audit policy and log file settings. Here are the steps to enable audit logging:

  1. Create an Audit Policy File: Define an audit policy that specifies what events to log. Create a file named audit-policy.yaml with the desired configuration. Here’s an example policy that logs all requests:

    apiVersion: audit.k8s.io/v1
    kind: Policy
    rules:
      - level: RequestResponse
        resources:
          - group: "*"
            resources: ["*"]
    

    This policy logs all requests and their responses.

  2. Configure the API Server: Modify the API server configuration to use the audit policy file and specify the log output. You can do this by adding the following flags to the API server startup command (usually found in the kube-apiserver manifest file):

    --audit-policy-file=/path/to/audit-policy.yaml
    --audit-log-path=/var/log/kubernetes/audit.log
    --audit-log-maxage=30
    --audit-log-maxbackup=10
    --audit-log-maxsize=100
    
    • --audit-policy-file: Path to the audit policy file you created.
    • --audit-log-path: Path where the audit logs will be stored.
    • --audit-log-maxage: Maximum number of days to retain old audit logs.
    • --audit-log-maxbackup: Maximum number of old audit logs to retain.
    • --audit-log-maxsize: Maximum size in megabytes of the audit log file before it is rotated.
  3. Restart the API Server: After making these changes, restart the Kubernetes API server to apply the new configuration. The method for restarting the API server will depend on how your Kubernetes cluster is set up (e.g., using systemd, static pods, etc.).

  4. Verify Audit Logging: Once the API server is running with the new configuration, you can check the specified log file (e.g., /var/log/kubernetes/audit.log) to see the audit logs being generated.

By following these steps, you will have enabled audit logging in your Kubernetes cluster, allowing you to track user actions and API requests for security and compliance purposes.

0 Comments

no data
Be the first to share your comment!