Hi, May someone share the solution to the last question of lab- Use Audit logs t . . .

Kashif Ahsan:
Hi, May someone share the solution to the last question of lab- Use Audit logs to monitor Access

Now enable auditing in this kubernetes cluster. Create a new policy file that will only log events based on the below specifications:

Namespace: prod
Operations: delete
Resources: secrets
Log Path: /var/log/prod-secrets.log
Audit file location: /etc/kubernetes/prod-audit.yaml
Maximum days to keep the logs: 30

The solution below is mentioned but I am unable to create this yaml file.

Create /etc/kubernetes/prod-audit.yaml as below:

apiVersion: http://audit.k8s.io/v1|audit.k8s.io/v1
kind: Policy
rules:

  • level: Metadata
    namespaces: [“prod”]
    verbs: [“delete”]
    resources:

    • group: “”
      resources: [“secrets”]
      Next, make sure to enable logging in api-server:
  • –audit-policy-file=/etc/kubernetes/prod-audit.yaml

  • –audit-log-path=/var/log/prod-secrets.log

  • –audit-log-maxage=30

Then, add volumes and volume mounts as shown in the below snippets.
volumes:

  • name: audit
    hostPath:
    path: /etc/kubernetes/prod-audit.yaml
    type: File

  • name: audit-log
    hostPath:
    path: /var/log/prod-secrets.log
    type: FileOrCreate
    volumeMounts:

  • mountPath: /etc/kubernetes/prod-audit.yaml
    name: audit
    readOnly: true

  • mountPath: /var/log/prod-secrets.log
    name: audit-log
    readOnly: false

then save the file and make sure that kube-apiserver restarts.

Suman Chakraborty:
Hi @Kashif Ahsan, you can’t create an audit definition via ‘kubectl’. This file is passed as a value to the attribute defined as ‘–audit-policy-file’ in the parameters passed in api-server arguments. For more info , check here https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#log-backend

Kashif Ahsan:
Thanks. I have two queries here:-

  1. Is below file correct ?
    apiVersion: http://audit.k8s.io/v1|audit.k8s.io/v1
    kind: Policy
    rules:
  • level: Metadata
    namespaces: [“prod”]
    verbs: [“delete”]
    resources:
    • group: “”
      resources: [“secrets”]
      volumes:

    • name: audit
      hostPath:
      path: /etc/kubernetes/prod-audit.yaml
      type: File

    • name: audit-log
      hostPath:
      path: /var/log/prod-secrets.log
      type: FileOrCreate
      volumeMounts:

    • mountPath: /etc/kubernetes/prod-audit.yaml
      name: audit
      readOnly: true

    • mountPath: /var/log/prod-secrets.log
      name: audit-log
      readOnly: false

  1. To pass this file , - --audit-policy-file=/etc/kubernetes/prod-audit.yaml

I added these lines in kube-apiserver yaml file in /etc/kubernetes/manifest but the file got corrupt , perhaps the prod-audit.yaml was not ok.