I would like to define policy for audit log that will include information only regarding pod creation. I would like to make sure that all the audit logs wont appear. how can i find all the options that the policy can have? I would like to have only
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
I used k8s formal site and use their example, I changed everything to "None" except of the "Pods" rule, and still i got a lot of other logs not related to pods.
my policy is:
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
resources: ["pods"]
- level: None
resources:
- group: ""
resources: ["pods/log", "pods/status"]
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: None
resources:
- group: "" # core API group
resources: ["configmaps"]
- level: None
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
- level: None
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
- level: None
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"```
Simply changing the example config .yaml
will not solve your issue. You need to understand exactly how the audit policy file works.
When an event is processed it is compared against the audit policy rules in order, and the first matching rule sets the audit level of the event.
Here's an example of a rule you want to setup in your use case. If an event matches the rule, the Kubernetes API server creates a log entry at the RequestResponse level.
- level: RequestResponse
verbs: ["create"]
resources:
- group: "" # core
resources: ["pods", "pods/status"]
omitStages:
- "RequestReceived"
An event matches the rule if all of the following are true:
create
request.pods
resource or a pods/status
resource.RequestReceived
stage of the call.If you still log entries that you would like to filter out than add level: None
rules before the above example, as the Kubernetes audit policy file starts with rules that specify that certain events should not be logged at all.
Please let me know if that helps.
EDIT:
how can i make sure that i cover all K8S audit options? is there any "general" rule that say dont log anything and before this rule i will add only my specific logs?
It depends on your cluster. The easiest way to achieve that would be to:
level: None
rule before the one you created to exclude the unnecessary eventsregarding the pod creation if i would like to be more specific and get logs only from "default" namespace and not form other namespaces
The same thing can be applied here. Just add a level: None
rule that would exclude events from other namespaces.