How to log interaction between namespaces at metadata level

vinaydeep410 · June 9, 2025, 12:05am

There is a scenario where it is required to log interactions in all namespaces at meta-data level. From the kubernetes.io monitoring and logging section i have the policy file

apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy

Don’t generate audit events for all requests in RequestReceived stage.

omitStages:

“RequestReceived”
rules:

Log pod changes at RequestResponse level

level: RequestResponse
resources:
- group: “”
  Resource “pods” doesn’t match requests to any subresource of pods,
  
  which is consistent with the RBAC policy.
  resources: [“pods”]

Log “pods/log”, “pods/status” at Metadata level

level: Metadata
resources:
- group: “”
  resources: [“pods/log”, “pods/status”]

Don’t log requests to a configmap called “controller-leader”

level: None
resources:
- group: “”
  resources: [“configmaps”]
  resourceNames: [“controller-leader”]

Don’t log watch requests by the “system:kube-proxy” on endpoints or services

level: None
users: [“system:kube-proxy”]
verbs: [“watch”]
resources:
- group: “” # core API group
  resources: [“endpoints”, “services”]

Don’t log authenticated requests to certain non-resource URL paths.

level: None
userGroups: [“system:authenticated”]
nonResourceURLs:
- “/api*” # Wildcard matching.
- “/version”

Log the request body of configmap changes in kube-system.

level: Request
resources:
- group: “” # core API group
  resources: [“configmaps”]
This rule only applies to resources in the “kube-system” namespace.

The empty string “” can be used to select non-namespaced resources.
namespaces: [“kube-system”]

Log configmap and secret changes in all other namespaces at the Metadata level.

level: Metadata
resources:
- group: “” # core API group
  resources: [“secrets”, “configmaps”]

Log all other resources in core and extensions at the Request level.

level: Request
resources:
- group: “” # core API group
- group: “extensions” # Version of group should NOT be included.

A catch-all rule to log all other requests at the Metadata level.

level: Metadata
Long-running requests like watches that fall under this rule will not

generate an audit event in RequestReceived.
omitStages:
- “RequestReceived”

Does the default policy file will log interactions within all namespaces?

rob_kodekloud · June 9, 2025, 12:22am

Badly formatted YAML makes it hard to help. Please put your code into

code blocks
   * That preserve indentation
   * That don't turn your ' an " characters into something else

You can find info about how to format things in this forum here. Using this will make it easier to make sense of your audit policy. Also: are you referencing some document for putting this together, or a lab? Please provide a link to that.

vinaydeep410 · June 9, 2025, 4:54am

i am referring to link from kubernetes.io. here is the direct link to it.
https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/audit/audit-policy.yaml

Here it doesn’t mention anything referencing to namespace interactions.

rob_kodekloud · June 9, 2025, 5:11am

If you read your own link, carefully, you’ll see that there’s a namespaces block you can add to limit the namespaces used. IIRC if you omit that, then a rule will apply to all namespaces. Try it out and see – you can apply an audit policy, and try various things to see what gets recorded.

vinaydeep410 · June 9, 2025, 5:31am

Thank you. Do you mean modify the below block?
From:

Log configmap and secret changes in all other namespaces at the Metadata level.

level: Metadata
resources:
- group: “” # core API group
  resources: [“secrets”, “configmaps”]
  To:

Log configmap and secret changes in all other namespaces at the Metadata level.

level: Metadata
resources:
- group: “” # core API group

by removing resources line?

rob_kodekloud · June 9, 2025, 5:40am

Please use code blocks. Pasting this stuff directly into the edit window makes a complete hash of it, and interferes with you getting help on this. I gave you a link to the formatting doc – please read it.

rob_kodekloud · June 9, 2025, 5:44am

Did you mean this?

  # Log "pods/log", "pods/status" at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]

If so: this is already for all namespaces. You add a namespaces block to limit to specific namespaces.

vinaydeep410 · June 9, 2025, 6:27am

thank you so much Rob. i will update and let you know.

How to log interaction between namespaces at metadata level

Don’t generate audit events for all requests in RequestReceived stage.

Log pod changes at RequestResponse level

Resource “pods” doesn’t match requests to any subresource of pods,

which is consistent with the RBAC policy.

Log “pods/log”, “pods/status” at Metadata level

Don’t log requests to a configmap called “controller-leader”

Don’t log watch requests by the “system:kube-proxy” on endpoints or services

Don’t log authenticated requests to certain non-resource URL paths.

Log the request body of configmap changes in kube-system.

This rule only applies to resources in the “kube-system” namespace.

The empty string “” can be used to select non-namespaced resources.

Log configmap and secret changes in all other namespaces at the Metadata level.

Log all other resources in core and extensions at the Request level.

A catch-all rule to log all other requests at the Metadata level.

Long-running requests like watches that fall under this rule will not

generate an audit event in RequestReceived.

Log configmap and secret changes in all other namespaces at the Metadata level.

Log configmap and secret changes in all other namespaces at the Metadata level.