I'm trying to find some way to log audit events for each user, i.e whatever the kubectl commands the user executed and the commands which users ran by logging into any of the pods in the cluster. This logs can pushed to elasticsearch or any other similar logging applications for auditing of the cluster.
Can someone please help me here, is there any tool which helps to do this or is there any way that I can achieve this requirement.
Audit records begin their lifecycle inside the kube-apiserver component. Each request on each stage of its execution generates an audit event, which is then pre-processed according to a certain policy and written to a backend. The policy determines what's recorded and the backends persist the records. Now, this backend can be of two types:
1) WebHook Backend (send audit events to a remote web API) 2) Log backend (send events to log file)
You need to pass the policy file to your kubeapi-server, with the rules defined for your resources. Since, every event is audited, but with policy in place you will only get those which you specified as rule in policy yaml.
More info is itself available in k8s docs:
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/