Audit logging records all requests to the Kubernetes API server. It’s essential for security monitoring, compliance, and incident investigation.
Configuring Audit Logging
Create an audit policy:
YAML
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# Log all requests to secrets at metadata level
- level: Metadata
resources:
- group: ""
resources: ["secrets"]
# Log pod exec/attach at request level
- level: Request
resources:
- group: ""
resources: ["pods/exec", "pods/attach"]
# Log changes to configmaps
- level: RequestResponse
resources:
- group: ""
resources: ["configmaps"]
verbs: ["create", "update", "patch", "delete"]
# Don't log read-only endpoints
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: ""
resources: ["endpoints", "services"]Audit Levels
- None: Don’t log
- Metadata: Log request metadata only
- Request: Log metadata and request body
- RequestResponse: Log metadata, request, and response
API Server Configuration
YAML
--audit-policy-file=/etc/kubernetes/audit-policy.yaml
--audit-log-path=/var/log/kubernetes/audit.log
--audit-log-maxage=30
--audit-log-maxbackup=10
--audit-log-maxsize=100What to Monitor
High-Priority Events
- Secret access and modifications
- RBAC changes
- Pod exec/attach commands
- Service account token requests
- Namespace creation/deletion
Example Alert Rules
YAML
# Prometheus AlertManager rule
- alert: SuspiciousSecretAccess
expr: |
count(kube_audit_event{
resource="secrets",
verb=~"get|list|watch"
}) > 100
for: 5mSending Logs to SIEM
Configure webhook backend for real-time streaming:
YAML
--audit-webhook-config-file=/etc/kubernetes/audit-webhook.yamlIntegration options:
- Elasticsearch/Kibana
- Splunk
- Datadog
- AWS CloudWatch
Compliance Requirements
Audit logging helps meet:
- SOC 2 Type II
- PCI DSS
- HIPAA
- GDPR
Proper audit logging is your eyes and ears into cluster activity.