73 lines
3.1 KiB
Markdown
73 lines
3.1 KiB
Markdown
|
---
|
||
|
|
assignees:
|
||
|
|
- soltysh
|
||
|
|
- sttts
|
||
|
|
title: Auditing
|
||
|
|
redirect_from:
|
||
|
|
- "/docs/admin/audit/"
|
||
|
|
- "/docs/admin/audit.html"
|
||
|
|
- "/docs/concepts/cluster-administration/audit/"
|
||
|
|
- "/docs/concepts/cluster-administration/audit.html"
|
||
|
|
---
|
||
|
|
|
||
|
|
* TOC
|
||
|
|
{:toc}
|
||
|
|
|
||
|
|
Kubernetes Audit provides a security-relevant chronological set of records documenting
|
||
|
|
the sequence of activities that have affected system by individual users, administrators
|
||
|
|
or other components of the system. It allows cluster administrator to
|
||
|
|
answer the following questions:
|
||
|
|
- what happened?
|
||
|
|
- when did it happen?
|
||
|
|
- who initiated it?
|
||
|
|
- on what did it happen?
|
||
|
|
- where was it observed?
|
||
|
|
- from where was it initiated?
|
||
|
|
- to where was it going?
|
||
|
|
|
||
|
|
NOTE: Currently, Kubernetes provides only basic audit capabilities, there is still a lot
|
||
|
|
of work going on to provide fully featured auditing capabilities (see [this issue](https://github.com/kubernetes/features/issues/22)).
|
||
|
|
|
||
|
|
Kubernetes audit is part of [kube-apiserver](/docs/admin/kube-apiserver) logging all requests
|
||
|
|
coming to the server. Each audit log contains two entries:
|
||
|
|
|
||
|
|
1. The request line containing:
|
||
|
|
- unique id allowing to match the response line (see 2)
|
||
|
|
- source ip of the request
|
||
|
|
- HTTP method being invoked
|
||
|
|
- original user invoking the operation
|
||
|
- original user's groups info
|
||
|
|
- impersonated user for the operation
|
||
|
|
- impersonated groups info
|
||
|
|
- namespace of the request or <none>
|
||
|
|
- URI as requested
|
||
|
|
2. The response line containing:
|
||
|
|
- the unique id from 1
|
||
|
|
- response code
|
||
|
|
|
||
|
|
Example output for user `admin` asking for a list of pods:
|
||
|
|
|
||
|
|
```
|
||
|
|
2017-03-21T03:57:09.106841886-04:00 AUDIT: id="c939d2a7-1c37-4ef1-b2f7-4ba9b1e43b53" ip="127.0.0.1" method="GET" user="admin" groups="\"system:masters\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/pods"
|
||
|
|
2017-03-21T03:57:09.108403639-04:00 AUDIT: id="c939d2a7-1c37-4ef1-b2f7-4ba9b1e43b53" response="200"
|
||
|
|
```
|
||
|
|
|
||
|
|
## Configuration
|
||
|
|
|
||
|
|
[Kube-apiserver](/docs/admin/kube-apiserver) provides following options which are responsible
|
||
|
|
for configuring where and how audit logs are handled:
|
||
|
|
|
||
|
|
- `audit-log-path` - enables the audit log pointing to a file where the requests are being logged to.
|
||
|
|
- `audit-log-maxage` - specifies maximum number of days to retain old audit log files based on the timestamp encoded in their filename.
|
||
|
|
- `audit-log-maxbackup` - specifies maximum number of old audit log files to retain.
|
||
|
|
- `audit-log-maxsize` - specifies maximum size in megabytes of the audit log file before it gets rotated. Defaults to 100MB
|
||
|
|
|
||
|
|
If an audit log file already exists, Kubernetes appends new audit logs to that file.
|
||
|
|
Otherwise, Kubernetes creates an audit log file at the location you specified in
|
||
|
|
`audit-log-path`. If the audit log file exceeds the size you specify in `audit-log-maxsize`,
|
||
|
|
Kubernetes will rename the current log file by appending the current timestamp on
|
||
|
|
the file name (before the file extension) and create a new audit log file.
|
||
|
|
Kubernetes may delete old log files when creating a new log file; you can configure
|
||
|
|
how many files are retained and how old they can be by specifying the `audit-log-maxbackup`
|
||
|
|
and `audit-log-maxage` options.
|