Audit Logging

Audit Logging is one of key security features provided by Kubernetes. Once enabled in kube-api, it provides a chronological record of operations performed on the cluster by users, administrators and other cluster components.

Audit logging is also a key requirement of the Kubernetes CIS benchmark.

For more details, you can can refer to the upstream documentation.

Kubermatic Support

Kubermatic provideds two levels of support for the Audit Logging:

  • Audit Logging on user-cluster level
  • Audit Logging on a datacenter level

Kubernetes Audit Logging is optional and is not enabled by default, since it requires additional memory and storage resources, depending on the specific configuration used.

Once enabled, Kubermatic will use a Log Backend and a minimal Policy by default:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata


This file is stored in a ConfigMap named audit-config on the Seed Cluster in your cluster namespace. To modify the default policy, you can edit this ConfigMap using kubectl:

$ kubectl edit -n cluster-<YOUR CLUSTER ID> configmap audit-config

User-Cluster Level Audit Logging

To enable user-cluster level Audit Logging, simply check Audit Logging in the Kubermatic dashboard Create Cluster page:

Create Cluster

For exiting clusters, you can go to the cluster page, edit your cluster and enable (or disable) Audit Logging:

Edit Cluster

Datacenter Level Audit Logging

Kubermatic also supports enabling Audit Logging on the datacenter level. In this case, the option is enforced on all user-clusters in the datacenter. The user-cluster level flag is ignored in this case.

To enable this, you will need to edit your datacenters.yaml or your Seed Cluster CRD, and set enforceAuditLogging to true in the datacenter spec.