Runtime Security – Auditing

title: “Runtime Security – Auditing”
date: 2020-12-16T08:15:32
slug: runtime-security-auditing

Enable / Configure Auditing

This Audit Rule Logs all Metadata

vi /etc/kubernetes/audit/policy.yaml

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

Enable an Configure Auditing in kupe-api manifest:

vi /etc/kubernetes/manifests/kube-apiserver.yaml

 - --audit-policy-file=/etc/kubernetes/audit/policy.yaml # add
 - --audit-log-path=/var/log/kubernetes/audit.log # add
 - --audit-log-maxsize=500 # add
 - --audit-log-maxbackup=5 # add

 - mountPath: /etc/kubernetes/audit # add
 name: audit # add

 volumes:
 - hostPath: # add
 path: /var/log/kubernetes/audit.log # add
 type: DirectoryOrCreate # add
 name: audit # add

Some Policy Examples:
Dont log Anything from Stage RequestReceived (omitStages)

apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
 - "RequestReceived"
Print Friendly, PDF & Email