Getting/Forwarding Audit events from kubernetes clusters

10/28/2019

I need to filter and forward audit log events from kubernetes to a webhook. Is there a mechanism that I can use that works for on-prem clusters, GKE, EKS, and AKS?

I can set up EKS to log the the audit events to Cloudwatch logs, Azure to log these to diagnostic logging, GCP logs to stackdriver (google seems to reformat them), but i would prefer a single mechanism for all. I know that kubernetes supports starting the api server with some arguments for specifying audit destinations, but i don't really have any control over that for managed cloud solutions like eks/aks/gke. If I can hook these events from a container somehow that would be great. The event api (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#event-v1-core) however seems be a different class of event, which doesn't contain the user information that I need

The events I am looking for are the audit events such as:

{
    "kind": "Event",
    "apiVersion": "audit.k8s.io/v1",
    "level": "Request",
    "auditID": "b5944e24-548d-4b5e-a5c7-218316d20ff1",
    "stage": "ResponseComplete",
    "requestURI": "/apis/rbac.authorization.k8s.io/v1beta1/clusterrolebindings/system:persistent-volume-binding",
    "verb": "get",
    "user": {
        "username": "aksService",
        "groups": ["system:masters", "system:authenticated"]
    },
    "sourceIPs": ["172.31.20.52"],
    "userAgent": "kubectl/v1.13.2 (linux/amd64) kubernetes/cff46ab",
    "objectRef": {
        "resource": "clusterrolebindings",
        "name": "system:persistent-volume-binding",
        "apiGroup": "rbac.authorization.k8s.io",
        "apiVersion": "v1beta1"
    },
    "responseStatus": {
        "metadata": {},
        "code": 200
    },
    "requestReceivedTimestamp": "2019-10-24T17:38:56.846112Z",
    "stageTimestamp": "2019-10-24T17:38:56.848507Z",
    "annotations": {
        "authorization.k8s.io/decision": "allow",
        "authorization.k8s.io/reason": ""
    }
}
-- user12286841
aws-eks
azure-aks
google-kubernetes-engine
kubernetes

0 Answers