Audit Logging

Audit Logging is one of the key security features provided by Kubernetes. Once enabled in the Kubernetes API server, it provides a chronological record of operations performed on the cluster by users, administrators and other cluster components.

Audit logging is also a key requirement of the Kubernetes CIS benchmark.

For more details, you can refer to the upstream documentation.

Kubermatic Kubernetes Platform (KKP) Support

KKP provides two levels of support for the Audit Logging:

  • Audit Logging on user-cluster level
  • Audit Logging on a datacenter level

Kubernetes Audit Logging is optional and is not enabled by default, since it requires additional memory and storage resources, depending on the specific configuration used.

Audit logs, if enabled, are emitted by a sidecar container called audit-logs in the kubernetes-apiserver Pods on the Seed Cluster in your cluster namespace. Setting up the MLA stack on Master / Seed will allow storing the audit logs alongside other Pod logs collected by the MLA stack.

if you do not choose an audit policy preset, KKP will set up a minimal audit policy for you. This file is stored in a ConfigMap named audit-config on the Seed Cluster in your cluster namespace. To modify the default policy, you can edit this ConfigMap using kubectl:

$ kubectl edit -n cluster-<YOUR CLUSTER ID> configmap audit-config
kind: Policy
- level: Metadata

Audit Policy Presets

KKP supports a set of maintained audit policies as presets in case you do not want to tune the audit policy for yourself. A preset can be selected during cluster creation in the UI or by setting the field auditLogging.policyPreset on a user-cluster spec (when audit logging is enabled). The preset selection can be unset by setting the field to an empty string.

Enabling an audit policy preset on your user-cluster will override any manual changes to the audit-config ConfigMap.

The following presets are available right now:

  • metadata: Logs metadata for any request (matches the default policy configured when using no policy preset)
  • minimal: Is considered the bare minimum that allows to audit for key operations on the cluster. Logs the following operations:
    • any modification to Pods, Deployments, StatefulSets, DaemonSets and ReplicaSets (complete request and response bodies)
    • any access to Pods via shell (by using exec to spawn a process) or port-forwarding/proxy (complete request and response bodies)
    • access to container logs (metadata only)
    • any access (read, write or delete) to Secrets and ConfigMaps (metadata only, as the request body could include sensitive information)
  • recommended: Logs everything in minimal plus metadata for any other request. This is the most verbose audit policy preset, but is recommended due to its extended coverage of security recommendations like the CIS Benchmark

User-Cluster Level Audit Logging

To enable user-cluster level Audit Logging, simply check Audit Logging in the KKP dashboard Create Cluster page. You can either select “custom” to be able to edit the ConfigMap for audit logging later on or set your cluster up with a preset:

Create Cluster

For exiting clusters, you can go to the cluster page, edit your cluster and enable (or disable) Audit Logging:

Edit Cluster

Datacenter Level Audit Logging

KKP also supports enabling Audit Logging on the datacenter level. In this case, the option is enforced on all user-clusters in the datacenter. The user-cluster level flag is ignored in this case.

To enable this, you will need to edit your datacenter definitions in a Seed, and set enforceAuditLogging to true in the datacenter spec.