Problem
- Enable Auditing in a PMK Kubernetes Cluster.
Environment
- Platform9 Managed Kubernetes - v3.6.0 and Higher
Procedure
1. Create a file /etc/kubernetes/audit-policy.yaml with below content on the master node:
Also, to enable auditing for other resources and different audit levels check the document at kubernetes.io-audit
# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
2. Edit /opt/pf9/pf9-kube/conf/masterconfig/base/master.yaml file and add below content in the kube-apiserver container
- name: "kube-apiserver"
image: "gcr.io/google_containers/hyperkube:__KUBERNETES_VERSION__"
command:
- "/hyperkube"
- "kube-apiserver"
- "--audit-policy-file=/etc/kubernetes/audit-policy.yaml"
- "--audit-log-path=/var/log/kubernetes/audit/audit.log"
volumeMounts:
- mountPath: "/etc/kubernetes/audit-policy.yaml"
name: "audit"
readOnly: true
- mountPath: "/var/log/kubernetes/audit/"
name: "audit-log"
readOnly: false
3. Edit /opt/pf9/pf9-kube/conf/masterconfig/base/master.yaml file and add below content in the volume section.
volumes:
- hostPath:
path: "/etc/kubernetes/audit-policy.yaml"
name: "audit"
- hostPath:
path: "/var/log/kubernetes/audit"
name: "audit-log"
4. Restart pf9-kube on the node
/etc/init.d/pf9-kube stop
/etc/init.d/pf9-kube start
5. Now the logs should be created in /var/log/kubernetes/audit directory.
Additional Information
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/