Configure Audit Logging in Kubernetes

30 minutes
  • 2 Learning Objectives

About this Hands-on Lab

Audit logging is essential to any Kubernetes security strategy. In this lab, you will have the opportunity to practice your skills with Kubernetes audit logging by configuring audit logging for a cluster.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Implement Audit Policy Rules

Add the following rules to the audit policy.

Note: You can find an audit policy file located at /etc/kubernetes/audit-policy.yaml.

  • Log request and response bodies for all changes to namespaces.
  • Log request bodies (but not response bodies) for changes to Pods and Services in the web namespace.
  • Log metadata for all changes to Secrets.
  • Create a catch-all rule to log metadata for all other requests.
Configure Audit Logging

Configure audit logging in the following way:

Note: kube-apiserver is already configured to mount both the audit policy file and the log output file.

  • Use the audit policy file located at /etc/kubernetes/audit-policy.yaml.
  • Output logs to the file located at /var/log/kubernetes/k8s-audit.log.
  • Keep old log files for a maximum of 60 days.
  • Keep a maximum of 1 old log file.

Additional Resources

Your company, SecuriCorp, is using Kubernetes to deploy and run a variety of applications.

In a recent security incident simulation, the team had difficulty discovering what happened during the simulation since no logs were kept of what was done via the Kubernetes API. As a result, the decision has been made to enable audit logging in the cluster to help track down threats both in real time and post mortem.

The cluster already has an audit policy file, but there are currently no rules. Implement audit policy rules and configure audit logging for the cluster.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?