I want to enable dynamic auditing in GKE and send logs to some endpoint. How can I enable it?
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#dynamic-backend
According to official doc I need to restart the api server with mentioned flag. But I am not able to access kube-api server pod in GKE
Need to set these 3 flags
--audit-dynamic-configuratio
--feature-gates=DynamicAuditing=true
--runtime-config=auditregistration.k8s.io/v1alpha1=true
I am expecting it to enable dynamic auditing.
Consider that GKE is a managed version of Kubernetes and the kube-api server is completely managed by Google, so there is no way to pass these flags and restart the server.
However, GKE is constantly implementing the new features released in the Open Source version of Kubernetes, and such flags might be enabled by default on an oncoming version.
Unfortunately for this in specific, doesn't seem to be the case (not even for alpha clusters). If you check the API resources enabled with kubectl api-resources
, you'll notice that there is no auditregistration.k8s.io
.
Furthermore, this feature has CRDs kinds (AuditSink
) not available in GKE yet.
At this point, you can either wait for the feature to be rolled out on GKE or switch to the Open Source version.