Note:From now to June 30, 2022, users are exempt from CLS service fees incurred by audit log/event data generated by TKE for auto-created log topics. For details, see Note on Free Log Storage for TKE Audit and Event Center.
Cluster audit is a feature based on Kubernetes Audit that can store and search the records of kube-apiserver JSON logs to generate configurable policies. This feature records the access events of kube-apiserver and records the activities of each user, admin, or system component that has an impact on the cluster in sequence.
The cluster audit feature provides a different cluster monitoring dimension from metrics. After cluster audit is enabled, Kubernetes can record the log of every audit operation on the cluster. An audit log is a structured record in JSON format and consists of three parts: metadata, requestObject, and responseObject. The metadata (containing request context information, such as who initiated the request, where it was initiated, and the accessed URI) component is required, whereas requestObject and responseObject are optional, depending on the audit level. You can obtain the following information from logs:
{
"kind":"Event",
"apiVersion":"audit.k8s.io/v1",
"level":"RequestResponse",
"auditID":0a4376d5-307a-4e16-a049-24e017******,
"stage":"ResponseComplete",
// What happened?
"requestURI":"/apis/apps/v1/namespaces/default/deployments",
"verb":"create",
// Who initiated the request?
"user":{
"username":"admin",
"uid":"admin",
"groups":[
"system:masters",
"system:authenticated"
]
},
// Where was it initiated?
"sourceIPs":[
"10.0.6.68"
],
"userAgent":"kubectl/v1.16.3 (linux/amd64) kubernetes/ald64d8",
// What happened?
"objectRef":{
"resource":"deployments",
"namespace":"default",
"name":"nginx-deployment",
"apiGroup":"apps",
"apiVersion":"v1"
},
// What is the result?
"responseStatus":{
"metadata":{
},
"code":201
},
// Request and response details
"requestObject":Object{...},
"responseObject":Object{...},
// When did it start/end?
"requestReceivedTimestamp":"2020-04-10T10:47:34.315746Z",
"stageTimestamp":"2020-04-10T10:47:34.328942Z",
// Reason for accepting/rejecting the request
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":""
}
}
Unlike common logs, the level of a Kubernetes audit log is more like a verbose configuration, which is used to indicate the degree of detail of the recorded information. There are four audit levels, as described in the following table:
Parameter | Description |
---|---|
None | Nothing is recorded |
Metadata | The metadata of the request (for example, the user, time, resources, and operation) is recorded, excluding the message bodies of the request and response |
Request | The metadata and request message body are recorded, excluding the response message body |
RequestResponse | All information is recorded, including the metadata and the message bodies of the request and response |
Logs can be recorded at different stages, as described in the following table:
Parameter | Description |
---|---|
RequestReceived | The log is recorded when the request is received |
ResponseStarted | The log is recorded after the message header of the response is sent. This parameter is applicable only to persistent connection requests, such as watch. |
ResponseComplete | The log is recorded after the response is fully sent |
Panic | The request is not completed due to an internal server error |
By default, TKE records audit logs when receiving requests. For most operations, audit logs of the RequestResponse level are recorded, except for the following cases:
Logs will not be recorded for the following requests:
system:kube-proxy
for monitoring endpoints resources, services resources, or services/status resources.system:unsecured
for configmaps resources in the kube-system namespace.system:nodes
for nodes resources or nodes/status resources.system:kube-controller-manager
, system:kube-scheduler
, or system:serviceaccount:endpoint-controller
for endpoint resources in the kube-system namespace.system:apiserver
for namespaces resources, namespaces/status resources, or namespaces/finalize resources./healthz*
, /version
, or /swagger*
.Note:
- To enable the cluster audit feature, you need to restart kube-apiserver. We recommend that you do not frequently enable and disable the feature.
- A self-deployed cluster consumes about 1 GB of local storage on the master node. Therefore, ensure that the storage of the master node is sufficient.
Was this page helpful?