Audit logging
Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators or other components of the system. This documentation covers the configuration and usage of these audit logs in Charmed Kubernetes. For a more detailed description of the motives and methodology behind audit logging in Kubernetes, see the Kubernetes Auditing documentation.
Viewing the log
By default, Charmed Kubernetes enables audit logging to files on the
kubernetes-master
units. The log file is located at
/root/cdk/audit/audit.log
and is owned by the nominal root
user. You can
view the log directly by using Juju’s credentials to make an SSH connection:
juju ssh kubernetes-master/0 sudo cat /root/cdk/audit/audit.log
Note that this log is replicated on all kubernetes-master units.
Audit policy configuration
Audit policy defines rules about what events should be recorded and what data
they should include. For Charmed Kubernetes this is configurable on the kubernetes-master charm
using the audit-policy
setting.
To view the current policy:
juju config kubernetes-master audit-policy
To set a new audit policy, it is easiest to write the policy to a file. Assuming you have a file
named audit-policy.yaml
with the following contents:
# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
- level: Metadata
You can set the new audit policy like so:
juju config kubernetes-master audit-policy="$(cat audit-policy.yaml)"
For more information about audit policy definitions, please refer to the upstream Kubernetes Audit Policy documentation.
Audit log backend configuration
The audit log backend writes audit events to a file in JSON format. It is
configurable in Charmed Kubernetes through the use of the api-extra-args
config on kubernetes-master.
By default, the log backend is enabled in Charmed Kubernetes with the following configuration:
kube-apiserver config | value |
---|---|
audit-log-path | /root/cdk/audit/audit.log |
audit-log-maxsize | 100 |
audit-log-maxbackup | 9 |
You can override the defaults by using api-extra-args
. For example:
juju config kubernetes-master api-extra-args="audit-log-path=/root/cdk/my-audit-location audit-log-maxage=30 audit-log-maxsize=200 audit-log-maxbackup=5"
Note:
The audit-log-path
must be a directory that is writeable by the
kube-apiserver snap.
Any non-hidden folders in /root
, /var/snap/kube-apiserver/current
, or
/var/snap/kube-apiserver/common
should work.
Please refer to the upstream Kubernetes Audit Log Backend documentation for more information about the available options.
Audit webhook backend configuration
The audit webhook backend sends audit events to a remote API, which is assumed
to be the same API that the kube-apiserver exposes. This backend is disabled by
default in Charmed Kubernetes, and is configurable on the kubernetes-master
charm via the audit-webhook-config
option.
To view the current audit webhook configuration:
juju config kubernetes-master audit-webhook-config
To set a new audit webhook config, it is easiest to write the config to a file.
Assuming you have a file named audit-webhook-config.yaml
with the following
contents:
apiVersion: v1
kind: Config
preferences: {}
clusters:
- name: example-cluster
cluster:
server: http://10.1.35.4
users:
- name: example-user
user:
username: some-user
password: some-password
contexts:
- name: example-context
context:
cluster: example-cluster
user: example-user
current-context: example-context
You can set the new audit webhook config with:
juju config kubernetes-master audit-webhook-config="$(cat audit-webhook-config.yaml)"
Additional options for the webhook backend can be set by using api-extra-args
.
For example:
juju config kubernetes-master api-extra-args="audit-webhook-initial-backoff=20s"
Please refer to the upstream Kubernetes Audit Webhook Backend documentation for more information about the audit webhook config format and related options.
We appreciate your feedback on the documentation. You can edit this page or file a bug here.