Menu Close

CKS Exam Task – Enable Kubernetes Audit Logs

Enabling the Kubernetes audit logs for the API server is one of the tasks in the question catalog for the Certified Kubernetes Security Specialist Certification (CKS). This post shows how to perform this task.

Why you should configure audit logs for Kubernetes

When Kubernetes API Server audit logs are enabled, the API server will log information about requests it serves and responses it sends.

Kubernetes can store all sorts of data and configurations, including sensitive data like secrets to access other systems or data that has to be secured to satisfy compliance regulations.

Security specialists must be able to analyze all actions malicious actors perform in case of a security breach. This includes:

πŸ‘‰ What actions did they perform?
πŸ‘‰ When did it happen?
πŸ‘‰ Who did it? (Is a user compromised?)
πŸ‘‰ Where did requests come from?
πŸ‘‰ Where were responses sent to?
πŸ‘‰ What data did they access?

Example CKS Exam Task

Enable Audit logs for the Kubernetes API server of your cluster. There is an existing configuration file stored in your master node at /etc/kubernetes/audit/policy.yaml. Add a policy to the configuration so that audit logs contain metadata for all resources. Additionally, it should log the request body for configmap resources.

Change the configuration of the Kube API Server to enable audit logging using the policy configuration created above. Write logs to the path /var/log/audit/audit.log.

Prerequisites

  • To perform this task you need access to a Kubernetes cluster, we’re using minikube on docker
  • Start a new minikube cluster by running minikube start

Kubernetes audit log configuration file

The first part of the task is to configure the audit policy so that audit logs will contain metadata of all requests and request body of requests to config. We can accomplish this using this policy configuration:

# /etc/kubernetes/audit/policy.yaml
# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Request
  resources:
  - group: ""
    resources: ["configmaps"]

The first rule defines that we want to log Metadata for all requests to the API server. The second rule configures logging the request body for requests to config maps.

Create this file on your minikube master node using minikube ssh to connect.

For a full list of possible configuration options visit the official Kubernetes documentation.

Configure Kube API server for audit logs

The second step of the task is to configure the Pod for the Kubernetes API server. You can change the API server’s configuration by editing its manifest. Usually, it is stored at /etc/kubernetes/manifests/kube-api-server.yaml on the master nodes.

We need to:

  • Configure the log path
  • Configure the path to the audit policy configuration file
  • Mount the audit policy to the Kube API server
  • Mount the logs directory

To do all of the above we need to use minikube ssh to get a bash shell on our minikube node. We need to edit the kube-api-server.yaml

First, add the following additional arguments:

--audit-policy-file=/etc/kubernetes/audit/policy.yaml
--audit-log-path=/var/log/audit/audit.log

Then add volumes to the pod description:

  volumes:
  - hostPath:
      path: /var/log/audit
      type: DirectoryOrCreate
    name: audit-logs
  - hostPath:
      path: /etc/kubernetes/audit/policy.yaml
      type: File

Next, add the volumeMounts and apply the new configuration:

    volumeMounts:
    - mountPath: /var/log/audit
      name: audit-logs
      readOnly: false
    - mountPath: /etc/kubernetes/audit/policy.yaml
      name: audit-policy
      readonly: true

Congrats, you activated the audit logs for your Kubernetes API Server.

You can check that logs are written by running the following on your minikube node:

cat /var/log/audit/audit.log

Don’t want to miss the next post in the Certified Kubernetes Security Specialist (CKS) series? Follow me on LinkedIn!

To support my efforts use my affiliate link to buy your courses and exams from the Linux Foundation.