Auditing records requests made to the Kubernetes API server, including the request and its outcome. ACK provides API server audit logs to help cluster administrators determine who did what, to which resource, and when. You can use these logs to trace the cluster's operational history, troubleshoot issues, and streamline security operations.
Step 1: Enable API server auditing
When you create an ACK cluster, the Enable Log Service option is selected by default, which enables the API server auditing feature. If you did not enable this feature during cluster creation, follow these steps to enable it.
-
Log on to the ACS console. In the left navigation pane, click Clusters.
-
On the Clusters page, click the name of the target cluster. In the left navigation pane, choose Security > Audit.
If cluster logging or auditing is disabled, follow the on-screen instructions to manually select an SLS project and enable the feature.
Ensure that your account has sufficient Log Service (SLS) resource quotas. If you exceed the quotas, you cannot enable the cluster auditing feature.
-
The quota for the number of SLS projects that can be created.
-
The quota for the number of Logstores that can be created in a single SLS project.
-
The quota for the number of dashboards that can be created in a single SLS project.
For more information about SLS quotas and how to adjust them, see Adjust resource quotas.
Step 2: View audit reports
Do not modify the built-in audit reports. If you need to create custom reports, use the Log Service (SLS) console.
ACK provides four built-in audit log reports: Audit center overview, Resource operation overview, Resource operation details, and Kubernetes CVE security risks. On the Cluster Auditing page, you can filter audit events by dimensions such as namespace or RAM user and use the reports to obtain the following information.
After you obtain the results, click the
icon in the upper-right corner of a chart to perform additional actions, such as viewing the chart in full screen or previewing its corresponding query statement.
Audit center overview
The audit center overview report displays a general summary of events in an ACK cluster and provides details about important events, such as RAM user operations, public network access, command executions, resource deletions, Secret access, and Kubernetes CVE security risks.
Resource operation overview
The resource operation overview report shows statistics for operations such as create, update, delete, and access on common ACK cluster compute, network, and storage resources, including:
-
Compute resources: Deployments, StatefulSets, Jobs, CronJobs, Pods, and DaemonSets.
-
Network resources: Services and Ingresses.
-
Storage resources: ConfigMaps, Secrets, and PersistentVolumeClaims.
-
Access control resources: Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings.
Resource operation details
This report displays a detailed list of operations for a specific resource type in an ACK cluster. Select or enter a resource type to run a real-time query. The report shows the total number of events for each operation type, the distribution across namespaces, the success rate, time-series trends, and a detailed list of operations.
To view CustomResourceDefinition (CRD) resources registered in Kubernetes or other resources not listed, you can manually enter the plural form of the resource name. For example, for a CRD resource named AliyunLogConfig, enter AliyunLogConfigs.
Kubernetes CVE security risks
This report displays potential Kubernetes CVE security risks in the current cluster. Select or enter a RAM user ID to perform a real-time query. The report shows the Kubernetes CVE security risks associated with the specified account. For more information about CVE details and solutions, see [CVE Security] Vulnerability Fix Announcement.
(Optional) Step 3: View detailed log records
If you need to run custom queries or analyze audit logs, you can view detailed log records in the Log Service (SLS) console.
By default, API server audit logs from an ACK cluster are stored in the corresponding Logstore in Log Service (SLS) for 30 days. To change the data retention period, see Manage a Logstore.
-
Log on to the ACS console. In the left navigation pane, click Clusters.
-
On the Clusters page, click the name of the target cluster. In the left navigation pane, choose Cluster Information.
-
Click the Basic Information tab. In the Cluster Resources section, click the project ID next to Log Service Project. In the project list, click the Logstore named audit-${clusterid}.
During cluster creation, a Logstore named
audit-${clusterid}is automatically added to the specified SLS project.ImportantThe Logstore for audit logs has pre-configured indexes. Do not modify the indexes. Otherwise, the reports may become invalid.
-
Enter a query and analysis statement in the search box, specify a time range such as the last 15 minutes, and then click Search & Analyze to view the results.
The following list describes common search methods for audit logs:
-
To query the operation records of a specific RAM user, enter the RAM user ID and click Search & Analyze.
-
To query the operations on a specific resource, enter the name of a compute, network, storage, or access control resource and click Search & Analyze.
-
To filter out operations from system components, enter
NOT user.username: node NOT user.username: serviceaccount NOT user.username: apiserver NOT user.username: kube-scheduler NOT user.username: kube-controller-managerand then click Search & Analyze.
For more information about query and analysis methods, see Log Service query and analysis.
-
(Optional) Step 4: Configure alerts
If you need to receive real-time alerts for operations on specific resources, you can use the alerting feature of Log Service (SLS). Supported notification methods include SMS messages, DingTalk chatbots, emails, custom webhooks, and the Notification Center. For more information, see Create alerts for Log Service.
Example 1: Alert on command execution in a container
A company has strict Kubernetes cluster usage policies and does not allow users to log on to containers or execute commands in them. If a user executes a command, an alert is sent immediately. The alert notification must include information such as the specific container accessed, the command executed, the operator, the event ID, the timestamp, and the source IP address.
-
Query statement:
verb : create and objectRef.subresource:exec and stage: ResponseStarted | SELECT auditID as "Event ID", date_format(from_unixtime(__time__), '%Y-%m-%d %T' ) as "Operation Time", regexp_extract("requestURI", '([^\?]*)/exec\?.*', 1)as "Resource", regexp_extract("requestURI", '\?(.*)', 1)as "Command" ,"responseStatus.code" as "Status Code", CASE WHEN "user.username" != 'kubernetes-admin' then "user.username" WHEN "user.username" = 'kubernetes-admin' and regexp_like("annotations.authorization.k8s.io/reason", 'RoleBinding') then regexp_extract("annotations.authorization.k8s.io/reason", ' to User "(\w+)"', 1) ELSE 'kubernetes-admin' END as "Operator Account", CASE WHEN json_array_length(sourceIPs) = 1 then json_format(json_array_get(sourceIPs, 0)) ELSE sourceIPs END as "Source Address" order by "Operation Time" desc limit 10000 -
Trigger condition:
"Event ID" =~ ".*".
Example 2: Alert on failed public API server access
A cluster has public access enabled. To prevent malicious attacks, you need to monitor the number of public access attempts and the failure rate. When the number of access attempts reaches a specified threshold (for example, 10) and the failure rate exceeds a specified threshold (for example, 50%), an alert is sent immediately. The alert notification must include information such as the region of the user's IP address, the source IP address, and whether it is a high-risk IP address.
-
Query statement:
* | select ip as "Source Address", total as "Access Count", round(rate * 100, 2) as "Failure Rate %", failCount as "Illegal Access Count", CASE when security_check_ip(ip) = 1 then 'yes' else 'no' end as "Is High-Risk IP", ip_to_country(ip) as "Country", ip_to_province(ip) as "Province", ip_to_city(ip) as "City", ip_to_provider(ip) as "Carrier" from (select CASE WHEN json_array_length(sourceIPs) = 1 then json_format(json_array_get(sourceIPs, 0)) ELSE sourceIPs END as ip, count(1) as total, sum(CASE WHEN "responseStatus.code" < 400 then 0 ELSE 1 END) * 1.0 / count(1) as rate, count_if("responseStatus.code" = 403) as failCount from log group by ip limit 10000) where ip_to_domain(ip) != 'intranet' and ip not LIKE '%,%' and not try(is_subnet_of('<your_subnet_ip_address>')) ORDER by "Access Count" desc limit 10000 -
Trigger condition:
"Source Address" =~ ".*".
Related operations
Change SLS project
To migrate API server audit logs to another SLS project, use the Change Log Service Project feature in cluster auditing.
-
Log on to the ACS console. In the left navigation pane, click Clusters.
-
On the Clusters page, click the name of the target cluster. In the left navigation pane, choose Security > Audit.
-
In the upper-right corner of the cluster auditing page, click Change Log Service Project to migrate the cluster audit logs to another SLS project.
Disable API server auditing
To disable the API server auditing feature, use the following method.
-
Log on to the ACS console. In the left navigation pane, click Clusters.
-
On the Clusters page, click the name of the target cluster. In the left navigation pane, choose Security > Audit.
-
In the upper-right corner of the Cluster Auditing page, click Disable Cluster Auditing to disable the auditing feature for the current cluster.
Use a third-party logging solution in an ACK cluster
We recommend that you use Log Service (SLS) to record ACK cluster audit logs. However, if you want to use a third-party logging service, you can choose not to use SLS when you create the cluster and then integrate another logging solution to collect and retrieve audit logs.
Reference: API server audit configuration
When you configure cluster components during the creation of an ACK cluster, Enable Log Service is selected by default. This enables the API server auditing feature, which in turn collects event data based on an audit policy and writes the data to the backend.
Audit policy
The event log collection rules vary by audit level.
|
Audit level |
Log collection rule |
|
None |
Events that match the rule are not collected. |
|
Metadata |
Collects request metadata, such as user information and timestamp, but not the request or response body. |
|
Request |
Collects request metadata and the request body, but not the response body. This does not apply to non-resource requests. |
|
RequestResponse |
Collects request metadata, the request body, and the response body. This does not apply to non-resource requests. |
Save the following audit policy as a YAML file and apply it to the API server by using the --audit-policy-file startup flag.
After a request is received, logging does not start immediately. It starts after the response header is sent.
The system does not audit a large number of redundant requests, such as kube-proxy watch requests, GET requests for nodes from kubelet and system:nodes, operations on endpoints by kube-system components, and GET requests for namespaces from the API server.
For sensitive interfaces such as authentication, rbac, certificates, autoscaling, and storage, the system records the corresponding request and response bodies for read and write operations.
Audit backend
The audit backend stores collected events as log files in standard JSON format.