tencent cloud

All product documents
Tencent Kubernetes Engine
DocumentationTencent Kubernetes Engine TKE Serverless Cluster Guide OPS CenterAudit ManagementCluster Audit
Cluster Audit
Download PDF
Last updated: 2023-05-06 17:36:46
Cluster Audit
Last updated: 2023-05-06 17:36:46
Download PDF
Note:
From now to December 31, 2021, users are exempt from CLS service fees incurred by audit log/event data generated by TKE Serverless for auto-created logsets or auto-created log topics in existing logsets.

Overview

Cluster audit is a feature based on Kubernetes Auditing that can store and search the records of JSON logs with configurable policies generated by kube-apiserver. This feature records the access events of kube-apiserver and records the activities of each user, admin, or system component that has an impact on the cluster in sequence.

Advantages

The cluster audit feature provides another cluster monitoring dimension different from metrics. After cluster audit is enabled, Kubernetes can record every audit log that operates on the cluster. An audit log is a structured record in JSON format, and includes three parts: metadata, requestObject, and responseObject. The metadata (containing the request context information, such as who initiated the request, where it was initiated, and the accessed URI) is a required part. requestObject and responseObject are optional, depending on the audit level. You can learn the following information from logs:
Activities that occur in the cluster.
Activity occurrence time and objects.
Activity triggering time, triggering positions, and observation points.
Activity results and subsequent processing.

An example of how to read the audit log

{
  "kind":"Event",
  "apiVersion":"audit.k8s.io/v1",
  "level":"RequestResponse",
  "auditID":0a4376d5-307a-4e16-a049-24e017******,
  "stage":"ResponseComplete",
  // What happened?
  "requestURI":"/apis/apps/v1/namespaces/default/deployments",
  "verb":"create",
  // Who initiated the request?
  "user":{
    "username":"admin",
      "uid":"admin",
      "groups":[
        "system:masters",
        "system:authenticated"
      ]
  },
  // Where was it initiated?
  "sourceIPs":[
    "10.0.6.68"
  ],
  "userAgent":"kubectl/v1.16.3 (linux/amd64) kubernetes/ald64d8",
  // What happened?
  "objectRef":{
    "resource":"deployments",
    "namespace":"default",
    "name":"nginx-deployment",
    "apiGroup":"apps",
    "apiVersion":"v1"
  },
  // What’s the result?
  "responseStatus":{
    "metadata":{
    },
    "code":201
  },
  // Request and response details
  "requestObject":Object{...},
  "responseObject":Object{...},
  // When did it start/end?
  "requestReceivedTimestamp":"2020-04-10T10:47:34.315746Z",
  "stageTimestamp":"2020-04-10T10:47:34.328942Z",
  // Reason for accepting/rejecting the request
  "annotations":{
    "authorization.k8s.io/decision":"allow",
    "authorization.k8s.io/reason":""
  }
}

TKE Serverless Cluster Audit Policy

Audit level (level)

Unlike common logs, the level of Kubernetes audit logs is more like a kind of verbose configuration, which is used to indicate the degree of detail of the recorded information. There are four audit levels, as listed in the following table:
Parameter
Description
None
Nothing is recorded.
Metadata
The metadata of the request (for example, user, time, resources, and operation) is recorded, excluding the request message body and response message body.
Request
The metadata and request message body are recorded, excluding the response message body.
RequestResponse
All the information is recorded, including the metadata, request message body, and response message body.

Audit stage (stage)

Logs can be recorded at different stages, as listed in the following table:
Parameter
Description
RequestReceived
The log is recorded immediately after a request is received.
ResponseStarted
The log is recorded after the message header of the response is sent. This parameter only applies to persistent connection requests, such as WATCH.
ResponseComplete
The log is recorded after the entire response is sent.
Panic
An error occurs to the internal server and the request fails.

Audit policy

By default, TKE serverless clusters record audit logs when receiving requests. For most operations, audit logs at the RequestResponse level are recorded. The following list shows the exceptions:
For GET, LIST, and WATCH requests, logs at the Request level are recorded.
For requests of Secret, ConfigMap, or TokenReview resources, logs at the Metadata level are recorded.
Logs will not be recorded for the following requests:
Requests sent by system:kube-proxy for monitoring endpoint, service, or service/status resources.
GET requests sent by system:unsecured for ConfigMap resources in the kube-system namespace.
GET requests sent by kubelet for node or node/status resources.
GET and UPDATE requests sent by system:kube-controller-manager, system:kube-scheduler, or system:serviceaccount:endpoint-controller for endpoint resources in the kube-system namespace.
GET requests sent by system:apiserver for namespace, namespace/status, or namespace/finalize resources.
Requests sent to URLs that match /healthz*, /version, or /swagger*.

Directions

Enabling cluster audit

Note
To enable the cluster audit feature, you need to restart kube-apiserver. We recommend that you do not frequently enable and disable the feature.
1. Log in to the TKE console.
2. In the left sidebar, choose Operation Management > Feature Management.
3. On the Feature Management page, select a region and the Serverless cluster type.
4. Locate the cluster for which you want to enable the cluster audit feature in the following cluster list. Click Set in the Operation column on the right.
5. In the Configure features pop-up window, click Edit for the Cluster Auditing feature, as shown below:

6. Check Enable Cluster Auditing. Select the logset and log topic for storing audit logs. We recommend that you select Auto-create Logset, as shown below:

7. Click Confirm to enable the cluster audit feature.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback

Contact Us

Contact our sales team or business advisors to help your business.

Contact Us
Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 available.

Submit a Ticket
7x24 Phone Support