If someone has edit yaml or property file of any running service, then how should I know who and when edit command was used on that particular service.
kubectl edit deploy ServiceName -n NameSpace
Kubernetes audit logs should tell you that.Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system.
The known audit levels are:
None - don’t log events that match this rule.
Metadata - log request metadata (requesting user, timestamp, resource, verb, etc.) but not request or response body.
Request - log event metadata and request body but not response body. This does not apply for non-resource requests.
RequestResponse - log event metadata, request and response bodies. This does not apply for non-resource requests.
You could write a audit policy like below
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log deployment changes at RequestResponse level
- level: RequestResponse
resources:
- group: "apps/v1"
resources: ["deployments"]You need to apply this via --audit-policy-file flag of kube API Server.
Also you can Fluentd to collect the audit logs as in this guide
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/