Enabling the Kubernetes audit logs for the API server is one of the tasks in the question catalog for the Certified Kubernetes Security Specialist Certification (CKS). This post shows how to perform this task.
Why you should configure audit logs for Kubernetes
When Kubernetes API Server audit logs are enabled, the API server will log information about requests it serves and responses it sends.
Kubernetes can store all sorts of data and configurations, including sensitive data like secrets to access other systems or data that has to be secured to satisfy compliance regulations.
Security specialists must be able to analyze all actions malicious actors perform in case of a security breach. This includes:
👉 What actions did they perform?
👉 When did it happen?
👉 Who did it? (Is a user compromised?)
👉 Where did requests come from?
👉 Where were responses sent to?
👉 What data did they access?
Example CKS Exam Task
Enable Audit logs for the Kubernetes API server of your cluster. There is an existing configuration file stored in your master node at
/etc/kubernetes/audit/policy.yaml. Add a policy to the configuration so that audit logs contain metadata for all resources. Additionally, it should log the request body for
Change the configuration of the Kube API Server to enable audit logging using the policy configuration created above. Write logs to the path
- To perform this task you need access to a Kubernetes cluster, we’re using minikube on docker
- Start a new minikube cluster by running
Kubernetes audit log configuration file
The first part of the task is to configure the audit policy so that audit logs will contain metadata of all requests and request body of requests to config. We can accomplish this using this policy configuration:
# /etc/kubernetes/audit/policy.yaml # Log all requests at the Metadata level. apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata # Log configmap and secret changes in all other namespaces at the Metadata level. - level: Request resources: - group: "" resources: ["configmaps"]
The first rule defines that we want to log Metadata for all requests to the API server. The second rule configures logging the request body for requests to config maps.
Create this file on your minikube master node using
minikube ssh to connect.
For a full list of possible configuration options visit the official Kubernetes documentation.
Configure Kube API server for audit logs
The second step of the task is to configure the Pod for the Kubernetes API server. You can change the API server’s configuration by editing its manifest. Usually, it is stored at
/etc/kubernetes/manifests/kube-api-server.yaml on the master nodes.
We need to:
- Configure the log path
- Configure the path to the audit policy configuration file
- Mount the audit policy to the Kube API server
- Mount the logs directory
To do all of the above we need to use
minikube ssh to get a bash shell on our minikube node. We need to edit the kube-api-server.yaml
First, add the following additional arguments:
Then add volumes to the pod description:
volumes: - hostPath: path: /var/log/audit type: DirectoryOrCreate name: audit-logs - hostPath: path: /etc/kubernetes/audit/policy.yaml type: File
Next, add the volumeMounts and apply the new configuration:
volumeMounts: - mountPath: /var/log/audit name: audit-logs readOnly: false - mountPath: /etc/kubernetes/audit/policy.yaml name: audit-policy readonly: true
Congrats, you activated the audit logs for your Kubernetes API Server.
You can check that logs are written by running the following on your minikube node:
Don’t want to miss the next post in the Certified Kubernetes Security Specialist (CKS) series? Follow me on LinkedIn!
To support my efforts use my affiliate link to buy your courses and exams from the Linux Foundation.