K
Q

enable audit logging in GKE

7/23/2019

I want to enable dynamic auditing in GKE and send logs to some endpoint. How can I enable it?

https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#dynamic-backend

According to official doc I need to restart the api server with mentioned flag. But I am not able to access kube-api server pod in GKE

Need to set these 3 flags

--audit-dynamic-configuratio
--feature-gates=DynamicAuditing=true
--runtime-config=auditregistration.k8s.io/v1alpha1=true

I am expecting it to enable dynamic auditing.

-- shashank patel
docker
google-cloud-platform
google-kubernetes-engine
kubernetes

Similar Questions

securityContext.privileged: Forbidden: disallowed by cluster policy
I want to kill a process
Track file download activity in JupyterHub?
When a container encounters a device error, what is the best way for it to tell kubernetes?
Kubernetes Ingress Enable Http2
Not able to browse Kubernetes dashboard for clusters created in Azure

1 Answer

7/23/2019

Consider that GKE is a managed version of Kubernetes and the kube-api server is completely managed by Google, so there is no way to pass these flags and restart the server.

However, GKE is constantly implementing the new features released in the Open Source version of Kubernetes, and such flags might be enabled by default on an oncoming version.

Unfortunately for this in specific, doesn't seem to be the case (not even for alpha clusters). If you check the API resources enabled with kubectl api-resources, you'll notice that there is no auditregistration.k8s.io.

Furthermore, this feature has CRDs kinds (AuditSink) not available in GKE yet.

At this point, you can either wait for the feature to be rolled out on GKE or switch to the Open Source version.

-- yyyyahir
Source: StackOverflow