This guide covers how to enable Kubernetes API auditing on a kind cluster.
Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster. Auditing requires a file to define the audit policy and a backend configuration to store the logged events. Auditing supports two types of backends: log (file) & webhook. The following exercise uses the log backend.
- Create the local audit-policy file
- Mount the local audit-policy file into the kind control plane
- Expose the control plane mounts to the API server
- Enable the auditing API flags
- Create a cluster
audit-policy.yaml file 🔗︎
kind-config.yaml file. 🔗︎
To enable audit logging, use kind’s configuration file to pass additional setup instructions. Kind uses
kubeadm to provision the cluster and the configuration file has the ability to pass
kubeadmConfigPatches for further customization.
Launch a new cluster 🔗︎
View audit logs 🔗︎
Once the cluster is running, view the log files on the control plane in
If logs are not present, let’s ensure a few things are in place.
Is the local audit-policy file mounted in the control-plane? 🔗︎
Does the API server contain the mounts and arguments? 🔗︎
- --audit-log-path=/var/log/kubernetes/kube-apiserver-audit.log - --audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml name: audit-logs name: audit-policies name: audit-logs name: audit-policies
If the control plane requires further debugging use
docker exec -it kind-control-plane bash to start an interactive terminal session with the container.