Audit logging

Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators or other components of the system. This documentation covers the configuration and usage of these audit logs in the Charmed Distribution of Kubernetes®. For a more detailed description of the motives and methodology behind audit logging in Kubernetes, see the Kubernetes Auditing documentation.

Viewing the log

By default, CDK enables audit logging to files on the kubernetes-master units. The log file is located at /root/cdk/audit/audit.log and is owned by the nominal root user. You can view the log directly by using Juju's credentials to make an SSH connection:

juju ssh kubernetes-master/0 sudo cat /root/cdk/audit/audit.log

Note that this log is replicated on all kubernetes-master units.

Audit policy configuration

Audit policy defines rules about what events should be recorded and what data they should include. For CDK this is configurable on the kubernetes-master charm using the audit-policy setting.

To view the current policy:

juju config kubernetes-master audit-policy

To set a new audit policy, it is easiest to write the policy to a file. Assuming you have a file named audit-policy.yaml with the following contents:

# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
- level: Metadata

You can set the new audit policy like so:

juju config kubernetes-master audit-policy="$(cat audit-policy.yaml)"

For more information about audit policy definitions, please refer to the upstream Kubernetes Audit Policy documentation.

Audit log backend configuration

The audit log backend writes audit events to a file in JSON format. It is configurable in CDK through the use of the api-extra-args config on kubernetes-master.

By default, the log backend is enabled in CDK with the following configuration:

kube-apiserver config value
audit-log-path /root/cdk/audit/audit.log
audit-log-maxsize 100
audit-log-maxbackup 9

You can override the defaults by using api-extra-args. For example:

juju config kubernetes-master api-extra-args="audit-log-path=/root/cdk/my-audit-location audit-log-maxage=30 audit-log-maxsize=200 audit-log-maxbackup=5"

Note: The audit-log-path must be a directory that is writeable by the kube-apiserver snap. Any non-hidden folders in /root, /var/snap/kube-apiserver/current, or /var/snap/kube-apiserver/common should work.

Please refer to the upstream Kubernetes Audit Log Backend documentation for more information about the available options.

Audit webhook backend configuration

The audit webhook backend sends audit events to a remote API, which is assumed to be the same API that the kube-apiserver exposes. This backend is disabled by default in CDK, and is configurable on the kubernetes-master charm via the audit-webhook-config option.

To view the current audit webhook configuration:

juju config kubernetes-master audit-webhook-config

To set a new audit webhook config, it is easiest to write the config to a file. Assuming you have a file named audit-webhook-config.yaml with the following contents:

apiVersion: v1
kind: Config
preferences: {}
clusters:
- name: example-cluster
  cluster:
    server: http://10.1.35.4
users:
- name: example-user
  user:
    username: some-user
    password: some-password
contexts:
- name: example-context
  context:
    cluster: example-cluster
    user: example-user
current-context: example-context

You can set the new audit webhook config with:

juju config kubernetes-master audit-webhook-config=”$(cat audit-webhook-config.yaml)”

Additional options for the webhook backend can be set by using api-extra-args. For example:

juju config kubernetes-master api-extra-args="audit-webhook-initial-backoff=20s"

Please refer to the upstream Kubernetes Audit Webhook Backend documentation for more information about the audit webhook config format and related options.