K
Q

Audit k8s cluster events on AWS

12/5/2019

For an EKS cluster, cloudtrail logs cluster events such as create, update and delete. However we are using kubeadm to provision clusters. How do we log an audit trail of these cluster events? Thanks.

-- Tony
amazon-web-services
audit
kubernetes

Similar Questions

Still finding the need to use virtualenv in Docker/k8s/Skaffold dev environment to run commands
Access istio/k8s service via HTTPS
Kubernetes ingress "an error on the server ("") has prevented the request from succeeding"
How to mandate all pods in namespace to be marked with label key=value upon creation
Pod unable to install packages(apt-get update or apt-get install )

1 Answer

12/5/2019

CloudTrail logs API events in AWS, so I don't think you can use it for K8S events. However, you can use log shippers to send custom metrics to CloudWatch. From there you can emit events and create dashboards.

For this you have a couple of options, you can use the CloudWatch agent, An Elastic Beat, Logstash, or maybe use something like Splunk if you don't want to use CloudWatch.

From the K8S documentation, there's an Audit log (possibly at /var/log/kube-audit for your cluster) which...

Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. It allows cluster administrator to answer the following questions:

You can ship/parse this log with another service.

If you need more control over the outcome, you can write a custom Beat, based on the libbeat specification. https://github.com/elastic/beats/tree/master/libbeat

Otherwise, I think a lot of people use Filebeat: https://github.com/elastic/beats/tree/master/deploy/kubernetes

K8S also supports custom Audit Policies for further control

-- DanielC
Source: StackOverflow