Auditing

This guide covers how to enable Kubernetes API auditing on a kind cluster.

Overview

Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster. Auditing requires a file to define the audit policy and a backend configuration to store the logged events. Auditing supports two types of backends: log (file) & webhook. The following exercise uses the log backend.

Steps:

  • Create the local audit-policy file
  • Mount the local audit-policy file into the kind control plane
  • Expose the control plane mounts to the API server
  • Enable the auditing API flags
  • Create a cluster

Setup

Create an audit-policy.yaml file

The audit policy defines the level of granularity outputted by the Kubernetes API server. The example below logs all requests at the “Metadata” level. See the audit policy docs for more examples.

  1. cat <<EOF > audit-policy.yaml
  2. apiVersion: audit.k8s.io/v1
  3. kind: Policy
  4. rules:
  5. - level: Metadata
  6. EOF

Create a kind-config.yaml file.

To enable audit logging, use kind’s configuration file to pass additional setup instructions. Kind uses kubeadm to provision the cluster and the configuration file has the ability to pass kubeadmConfigPatches for further customization.

  1. cat <<EOF > kind-config.yaml
  2. kind: Cluster
  3. apiVersion: kind.x-k8s.io/v1alpha4
  4. nodes:
  5. - role: control-plane
  6.   kubeadmConfigPatches:
  7.   - |
  8.     kind: ClusterConfiguration
  9.     apiServer:
  10.         # enable auditing flags on the API server
  11.         extraArgs:
  12.           audit-log-path: /var/log/kubernetes/kube-apiserver-audit.log
  13.           audit-policy-file: /etc/kubernetes/policies/audit-policy.yaml
  14.         # mount new files / directories on the control plane
  15.         extraVolumes:
  16.           - name: audit-policies
  17.             hostPath: /etc/kubernetes/policies
  18.             mountPath: /etc/kubernetes/policies
  19.             readOnly: true
  20.             pathType: "DirectoryOrCreate"
  21.           - name: "audit-logs"
  22.             hostPath: "/var/log/kubernetes"
  23.             mountPath: "/var/log/kubernetes"
  24.             readOnly: false
  25.             pathType: DirectoryOrCreate
  26.   # mount the local file on the control plane
  27.   extraMounts:
  28.   - hostPath: ./audit-policy.yaml
  29.     containerPath: /etc/kubernetes/policies/audit-policy.yaml
  30.     readOnly: true
  31. EOF

Launch a new cluster

  1. kind create cluster --config kind-config.yaml

View audit logs

Once the cluster is running, view the log files on the control plane in /var/log/kubernetes/kube-apiserver-audit.log.

  1. docker exec kind-control-plane cat /var/log/kubernetes/kube-apiserver-audit.log

Troubleshooting

If logs are not present, let’s ensure a few things are in place.

Is the local audit-policy file mounted in the control-plane?

  1. docker exec kind-control-plane ls /etc/kubernetes/policies

Expected output:

  1. audit-policy.yaml

Does the API server contain the mounts and arguments?

  1. docker exec kind-control-plane cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep audit

Expected output:

  1.     - --audit-log-path=/var/log/kubernetes/kube-apiserver-audit.log
  2.     - --audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml
  3.       name: audit-logs
  4.       name: audit-policies
  5.     name: audit-logs
  6.     name: audit-policies

If the control plane requires further debugging use docker exec -it kind-control-plane bash to start an interactive terminal session with the container.