Generating Kubernetes audit logs

Kubernetes audit logs in IBM® Cloud Private.

Kubernetes audit logs are used for tracking and storing data that is related to your IBM Cloud Private usage. Audit policies are used to define the rules for the type of data to be saved in the audit logs. IBM Cloud Private uses the default Kubernetes audit policy. For more information about the default Kubernetes audit policy, see https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ Opens in a new tab.

Note: For information about audit data sizes, see Audit logging data statistics.

By default, Kubernetes audit logs are unavailable in IBM Cloud Private. To generate these logs, during installation, set the auditlog_enabled parameter to true in the /<installation_directory>/cluster/config.yaml file. For more information, see Kubernetes settings.

The log files are saved in /var/log/k8saudit/ folder.

Note: Audit logging has a dependency on the logging service. Therefore, audit-logging-fluentd-ds-* pods run only when the logging service is deployed. Audit-logging chart deployment is enabled by default at installation time. If you disabled logging at install time by adding logging: disabled in the config.yaml file, you must also add audit-logging: disabled in the management_services section in the config.yaml file. Following is a sample of the management_services section:

management_services:
  logging: disabled
  audit-logging: disabled
  istio: disabled
  vulnerability-advisor: disabled
  storage-glusterfs: disabled
  storage-minio: disabled

For more information about the types of logs in IBM Cloud Private, see Configuring IBM Cloud Private services to generate audit logs

Enabling Kubernetes auditing after installation

Complete the following steps enable Kubernetes auditing.

  1. SSH to the master node as root user.

  2. Copy master.json file to tmp location.

    cp /etc/cfc/pods/master.json /tmp/

  3. Edit the copied master.json file by using any editor. For example:

    vim /tmp/master.json

  4. Add the audit-policy-file path and the audit log file path. The file paths must be under the apiserver configuration section and after the last element in the command list.

    "--audit-policy-file=/etc/cfc/conf/audit-policy.yaml",
"--audit-log-path=/var/log/k8saudit/audit.log",
"--audit-log-maxage=3",
"--audit-log-maxbackup=10",
"--audit-log-maxsize=10"

    Note: Add a comma (,) after last element of command parameters if it is added in the middle.

  5. Replace the original master.json with an updated one.

    cp /tmp/master.json /etc/cfc/pods/master.json

  6. The master pod picks up the changes and the kube-apiserver restarts with auditing enabled.