Generating Kubernetes audit logs

Kubernetes audit logs in IBM® Cloud Private.

Kubernetes audit logs are used for tracking and storing data that is related to your IBM Cloud Private usage. Audit policies are used to define the rules for the type of data to be saved in the audit logs. IBM Cloud Private uses the default Kubernetes audit policy. For more information about the default Kubernetes audit policy, see https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ .

Note: For information about audit data sizes, see Audit logging data statistics.

By default, Kubernetes audit logs are unavailable in IBM Cloud Private. To generate these logs, during installation, set the auditlog_enabled parameter to true in the /<installation_directory>/cluster/config.yaml file. For more information, see Kubernetes settings.

The log files are saved in /var/log/k8saudit/ folder.

Enabling Kubernetes auditing after installation

Complete the following steps enable Kubernetes auditing.

1. SSH to the master node as root user.

2. Copy master.json file to tmp location.

   cp /etc/cfc/pods/master.json /tmp/
   

3. Edit the copied master.json file by using any editor. For example:

   vim /tmp/master.json
   

4. Add the audit-policy-file path and the audit log file path. The file paths must be under the apiserver configuration section and after the last element in the command list.

   "--audit-policy-file=/etc/cfc/conf/audit-policy.yaml",
   "--audit-log-path=/var/log/k8saudit/audit.log",
   "--audit-log-maxage=3",
   "--audit-log-maxbackup=10",
   "--audit-log-maxsize=10"
   

   Note: Add a comma (,) after last element of command parameters if it is added in the middle.

5. Replace the original master.json with an updated one.

   cp /tmp/master.json /etc/cfc/pods/master.json
   

6. The master pod picks up the changes and the kube-apiserver restarts with auditing enabled.