K
Q

Where audit logs of starting/stopping pods/containers are stored on k8s

9/3/2019

On k8s, where audit logs of starting/stopping pods or containers are stored?

On k8s, we often store logs in hostpath /var/log, and let one agent mount this path and be charged of flush these logfiles. I wonder if there is one file in hostpath, store the audit logs of starting/stopping pods or containers.

-- Tianqiu Huang
containers
kubelet
kubernetes
logging
pod

Similar Questions

Azure node pool scaling using Azure Automation
httpd reverse-proxy in front traefik ingress from kubernetes
Unable to connect GCP GKE cluster using client-go with GCP service account key
cpu and gpu resourcequota on kubernetes

1 Answer

9/3/2019

It is not enabled by default, but you can do it by Audit, which is a part of kube-apiserver functionality.

You should create a policy for Audit which will describe what you want to catch and then you have 2 options how to store them - push somewhere using WebHook or write to files on a Master node.

To enable writing to a file, you should set a CLI flag for kube-apiserver: --audit-log-path with a path for log files.

Also, I highly recommend you to set a size limit for that files by --audit-log-maxsize because they can be really big.

-- Anton Kostenko
Source: StackOverflow