K
Q

Getting logs of ssh access to pods in kubernetes

8/13/2018

I'm running a Kubernetes cluster on Google Cloud, and I'm trying to figure out a way to see all SSH access to the pods, whether it was done using the google cluster management tools, or via kubectl.

I want to be able to see which user account made the access, and ideally what commands they ran. I have stackdriver logging running on all instances which I think may already be recording these actions, but looking at the giant wall of logs, I can't figure out how to tell which of these were generated by someone sshing in.

Is there some kind of standard labeling schema in stackdriver to denote ssh access?

-- mstorkson
google-kubernetes-engine
kubernetes
stackdriver

Similar Questions

Nginx Ingress Selective Reverse Proxy Location Rewrite
Kuberenetes hpa patch command not working
Configure Kubernetes Traefik Ingress with different path rewrites for each service
run mongodb inside kubernetes - azure aks fails
Kubernetes - load balance multiple services using a single load balancer

1 Answer

8/14/2018

So it turns out that Google Cloud has Auditing enabled by default for Kubernetes, which logs many things, including access to the pod through kubectl. I was able to update my stackdriver log filter like so:

protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog"

And get the logs I was interested in.

-- mstorkson
Source: StackOverflow