- Take me to the Lab
Solutions to Lab - Use Audit Logs to monitor access:
- 1
kube api-server
- 2
No
- 3
ResponseComplete
- 4
RequestResponse
- 5
logs all requests at the metadata level
-
6
Now enable auditing in this Kubernetes cluster. Create a new policy file and set it to Metadata level and it will only log events based on the below specifications:
- Namespace:
prod - Operations:
delete - Resources:
secrets - Log Path:
/var/log/prod-secrets.log - Audit file location:
/etc/kubernetes/prod-audit.yaml - Maximum days to keep the logs:
30
-
Create the policy with vi at
/etc/kubernetes/prod-audit.yamlapiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata namespaces: ["prod"] verbs: ["delete"] resources: - group: "" resources: ["secrets"]
-
Edit the api server manifest and make the changes to add the necessary command line arguments, volumes and mounts.
-
Add these arguments
- --audit-policy-file=/etc/kubernetes/prod-audit.yaml - --audit-log-path=/var/log/prod-secrets.log - --audit-log-maxage=30
-
Add these volumes
- name: audit hostPath: path: /etc/kubernetes/prod-audit.yaml type: File - name: audit-log hostPath: path: /var/log/prod-secrets.log type: FileOrCreate
-
Add these mounts
- mountPath: /etc/kubernetes/prod-audit.yaml name: audit readOnly: true - mountPath: /var/log/prod-secrets.log name: audit-log readOnly: false
-
Save and exit vi. Wait for apiserver to go down and come back up - can take up to 60 seconds
watch crictl ps
If the api server does not come back up, then diagnose this.
-
Test the auditing
kubectl create secret -n prod generic test --from-literal x=1 kubectl delete secret -n prod test # Wait a few secords cat /var/log/prod-secrets.log | jq -C
-
- Namespace: