I need to filter and forward audit log events from kubernetes to a webhook. Is there a mechanism that I can use that works for on-prem clusters, GKE, EKS, and AKS?
I can set up EKS to log the the audit events to Cloudwatch logs, Azure to log these to diagnostic logging, GCP logs to stackdriver (google seems to reformat them), but i would prefer a single mechanism for all. I know that kubernetes supports starting the api server with some arguments for specifying audit destinations, but i don't really have any control over that for managed cloud solutions like eks/aks/gke. If I can hook these events from a container somehow that would be great. The event api (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#event-v1-core) however seems be a different class of event, which doesn't contain the user information that I need
The events I am looking for are the audit events such as:
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Request",
"auditID": "b5944e24-548d-4b5e-a5c7-218316d20ff1",
"stage": "ResponseComplete",
"requestURI": "/apis/rbac.authorization.k8s.io/v1beta1/clusterrolebindings/system:persistent-volume-binding",
"verb": "get",
"user": {
"username": "aksService",
"groups": ["system:masters", "system:authenticated"]
},
"sourceIPs": ["172.31.20.52"],
"userAgent": "kubectl/v1.13.2 (linux/amd64) kubernetes/cff46ab",
"objectRef": {
"resource": "clusterrolebindings",
"name": "system:persistent-volume-binding",
"apiGroup": "rbac.authorization.k8s.io",
"apiVersion": "v1beta1"
},
"responseStatus": {
"metadata": {},
"code": 200
},
"requestReceivedTimestamp": "2019-10-24T17:38:56.846112Z",
"stageTimestamp": "2019-10-24T17:38:56.848507Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
}
}