|
| 1 | +--- |
| 2 | +assignees: |
| 3 | +- soltysh |
| 4 | +- sttts |
| 5 | + |
| 6 | +--- |
| 7 | + |
| 8 | +* TOC |
| 9 | +{:toc} |
| 10 | + |
| 11 | +## Audit in Kubernetes |
| 12 | + |
| 13 | +Kubernetes currently provides only basic audit capabilities, there is still a lot |
| 14 | +of work going on to provide fully featured auditing capabilities (see https://github.com/kubernetes/features/issues/22). |
| 15 | + |
| 16 | +Kubernetes audit is part of [kube-apiserver](/docs/admin/kube-apiserver) logging all requests |
| 17 | +coming to the server. Each audit log contains two entries: |
| 18 | + |
| 19 | +1. The request line containing: |
| 20 | + - unique id allowing to match the response line (see 2) |
| 21 | + - source ip of the request |
| 22 | + - HTTP method being invoked |
| 23 | + - original user invoking the operation |
| 24 | + - impersonated user for the operation |
| 25 | + - namespace of the request or <none> |
| 26 | + - URI as requested |
| 27 | +2. The response line containing: |
| 28 | + - the unique id from 1 |
| 29 | + - response code |
| 30 | + |
| 31 | +Example output for user `admin` asking for a list of pods: |
| 32 | + |
| 33 | +``` |
| 34 | +2016-09-07T13:03:57.400333046Z AUDIT: id="5c3b8227-4af9-4322-8a71-542231c3887b" ip="127.0.0.1" method="GET" user="admin" as="<self>" namespace="default" uri="/api/v1/namespaces/default/pods" |
| 35 | +2016-09-07T13:03:57.400710987Z AUDIT: id="5c3b8227-4af9-4322-8a71-542231c3887b" response="200" |
| 36 | +``` |
| 37 | + |
| 38 | +NOTE: The audit capabilities are available *only* for the secured endpoint of the API server. |
| 39 | + |
| 40 | +## Configuration |
| 41 | + |
| 42 | +[Kube-apiserver](/docs/admin/kube-apiserver) provides following options which are responsible |
| 43 | +for configuring where and how audit logs are handled: |
| 44 | + |
| 45 | +- `audit-log-path` - enables the audit log pointing to a file where the requests are being logged to. |
| 46 | +- `audit-log-maxage` - specifies maximum number of days to retain old audit log files based on the timestamp encoded in their filename. |
| 47 | +- `audit-log-maxbackup` - specifies maximum number of old audit log files to retain. |
| 48 | +- `audit-log-maxsize` - specifies maximum size in megabytes of the audit log file before it gets rotated. Defaults to 100MB |
| 49 | + |
| 50 | +Audit logs are being appended if the file already existed or a new one will be |
| 51 | +created at given location. If file size exceeds `audit-log-maxsize` the file is |
| 52 | +renamed by putting the current timestamp at the end name of the file name (before |
| 53 | +the file's extension) |
| 54 | +Whenever a new logfile get created, old log files may be deleted. This policy is |
| 55 | +configured using `audit-log-maxbackup` and `audit-log-maxage` flags. |
0 commit comments