Skip to main content

Kubernetes audit logs

Big picture​

Enable Kubernetes audit logs so security teams and auditors can see all the changes to Kubernetes resources over time.


About Kubernetes audit logs​

Kubernetes resources are used in Calico Cloud compliance reports and other audit-related features, but they are not enabled by default. You must enable Kubernetes resources through the Kubernetes API server. If you miss this step, some compliance reports will not work, and audit trails will not provide a complete view to your security team.

You must enable the following Kubernetes resources for each cluster:

  • Pod
  • Namespace
  • Service account
  • Network policy
  • Endpoints

Audit logs in Manager UI​

Like Calico Cloud audit logs, Kubernetes audit logs are displayed in Manager UI in the Timeline dashboard, Kibana dashboard (indexed by, tigera_secure_ee_audit_kube), and provide the core data for compliance reports.

Before you begin​


  • AKS
  • GKE
  • OpenShift
  • TKG

How to​

Enable Kubernetes audit logs in the Kubernetes API server:

Enable audit logs for Kubernetes resources​

At a minimum, enable audit logs for these resources that are involved in network policy:

  • Pod
  • Namespace
  • ServiceAccount
  • NetworkPolicy (Kubernetes/OpenShift)
  • Endpoints

Sample policy

The following sample policy audits changes to Kubernetes Pod, Namespace, ServiceAccount, Endpoints and NetworkPolicy resources. To add other audit logs for resources beyond network policy, see the Kubernetes docs, or review this function for inspiration (which generates the GKE audit policy).

kind: Policy
- RequestReceived
- level: RequestResponse
- create
- patch
- update
- delete
- group:
resources: ['networkpolicies']
- group: extensions
resources: ['networkpolicies']
- group: ''
resources: ['pods', 'namespaces', 'serviceaccounts', 'endpoints']

Enable Kubernetes audit logs for Calico Cloud​

The following updates require a restart to the Kubernetes API Server.

To enable Kubernetes resource audit logs to be read by Calico Cloud in fluentd, follow these steps.

On the Kubernetes API Server, update these flags.

  • --audit-log-path=/var/log/calico/audit/kube-audit.log
  • --audit-policy-file=<path to file containing audit policy above>
    For help with flags, see kube-apiserver flags. For help with audit logging, see Kubernetes audit logging documentation.

Distribute the audit policy file to all control plane nodes, ensuring that it is available to the Kubernetes API server (e.g. by volume mounting it into the pods).

Restart the Kubernetes API server. The restart command depends on how you installed Kubernetes.