Our solution provides detailed Audit dashboards. By default, Kubernetes does not provide audit logs. You can enable them by following the instructions from the Kubernetes documentation Auditing.

You need to enable audit logs only on master nodes. For that, you need to edit the definition of the Kubernetes API Server. In the case of clusters bootstrapped by kubeadm, you can find the definition of the Kubernetes API Server in the file /etc/kubernetes/manifests/kube-apiserver.yaml. In other cases, the Kubernetes API Server Pod definition can be stored in /etc/kubernetes/manifests/apiserver.json.

Create an Audit Policy file. Use our example as a reference and save the file in /etc/kubernetes/policies/audit-policy.yaml.

Another good example of the audit-policy.yaml file is an audit profile used by GCE.

 1apiVersion: audit.k8s.io/v1beta1
 2kind: Policy
 3rules:
 4  # Do not log from kube-system accounts
 5  - level: None
 6    userGroups:
 7    - system:serviceaccounts:kube-system
 8  - level: None
 9    users:
10    - system:apiserver
11    - system:kube-scheduler
12    - system:volume-scheduler
13    - system:kube-controller-manager
14    - system:node
15
16  # Do not log from collector
17  - level: None
18    users:
19    - system:serviceaccount:collectorforkubernetes:collectorforkubernetes
20
21  # Don't log nodes communications
22  - level: None
23    userGroups:
24    - system:nodes
25
26  # Don't log these read-only URLs.
27  - level: None
28    nonResourceURLs:
29    - /healthz*
30    - /version
31    - /swagger*
32
33  # Log configmap and secret changes in all namespaces at the metadata level.
34  - level: Metadata
35    resources:
36    - resources: ["secrets", "configmaps"]
37
38  # A catch-all rule to log all other requests at the request level.
39  - level: Request

The configuration provided below sets the policy file and directs logs to be written directly to the standard output. Because the Kubernetes API Server is running inside the container, collectord forwards these logs automatically. We also need to mount the audit policy file in the container that runs the Kubernetes API Server. Modify /etc/kubernetes/manifests/kube-apiserver.yaml with the suggested changes.

 1...
 2spec:
 3  containers:
 4  - command:
 5    - kube-apiserver
 6...
 7    - --audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml
 8    - --audit-log-path=-
 9    - --audit-log-format=json
10...
11    volumeMounts:
12    - mountPath: /etc/kubernetes/pki
13      name: k8s-certs
14      readOnly: true
15    - mountPath: /etc/ssl/certs
16      name: ca-certs
17      readOnly: true
18    - mountPath: /etc/kubernetes/policies
19      name: policies
20      readOnly: true
21  hostNetwork: true
22  volumes:
23  - hostPath:
24      path: /etc/kubernetes/pki
25      type: DirectoryOrCreate
26    name: k8s-certs
27  - hostPath:
28      path: /etc/ssl/certs
29      type: DirectoryOrCreate
30    name: ca-certs
31  - hostPath:
32      path: /etc/kubernetes/policies
33      type: DirectoryOrCreate
34    name: policies

To apply these changes you might need to restart kubelet.

1sudo systemctl restart kubelet

The application has a macro that defines how to find the audit logs: macro_kubernetes_audit_logs.

1(`macro_kubernetes_logs` OR `macro_kubernetes_host_logs`) "audit.k8s.io"

Links

• Installation
  • Start monitoring your Kubernetes environments in under 10 minutes.
  • Automatically forward host, container and application logs.
  • Test our solution with the embedded 30-day evaluation license.
• Collectord Configuration
  • Collectord configuration reference.
• Annotations
  • Changing index, source, sourcetype for namespaces, workloads and pods.
  • Forwarding application logs.
  • Multi-line container logs.
  • Fields extraction for application and container logs (including timestamp extractions).
  • Hiding sensitive data, stripping terminal escape codes and colors.
  • Forwarding Prometheus metrics from Pods.
• Audit Logs
  • Configure audit logs.
  • Forwarding audit logs.
• Prometheus metrics
  • Collect metrics from control plane (etcd cluster, API server, kubelet, scheduler, controller).
  • Configure the collectord to forward metrics from the services in Prometheus format.
• Configuring Splunk Indexes
  • Using non-default HTTP Event Collector index.
  • Configure the Splunk application to use indexes that are not searchable by default.
• Splunk fields extraction for container logs
  • Configure search-time field extractions for container logs.
  • Container logs source pattern.
• Configurations for Splunk HTTP Event Collector
  • Configure multiple HTTP Event Collector endpoints for Load Balancing and Fail-overs.
  • Secure HTTP Event Collector endpoint.
  • Configure the Proxy for HTTP Event Collector endpoint.
• Monitoring multiple clusters
  • Learn how to monitor multiple clusters.
  • Learn how to set up ACL in Splunk.
• Streaming Kubernetes Objects from the API Server
  • Learn how to stream all changes from the Kubernetes API Server.
  • Stream changes and objects from Kubernetes API Server, including Pods, Deployments or ConfigMaps.
• License Server
  • Learn how to configure a remote License URL for Collectord.
• Monitoring GPU
• Alerts
• Troubleshooting
• Release History
• Upgrade instructions
• Security
• FAQ and the common questions
• License agreement
• Pricing
• Contact