Skip to main content
Version: 3.18 (latest)

Kubernetes audit logs

Big picture

Enable Kubernetes audit logs so security teams and auditors can see all the changes to Kubernetes resources over time.

Concepts

About Kubernetes audit logs

Kubernetes resources are used in Calico Enterprise compliance reports and other audit-related features, but they are not enabled by default. You must enable Kubernetes resources through the Kubernetes API server. If you miss this step, some compliance reports will not work, and audit trails will not provide a complete view to your security team.

You must enable the following Kubernetes resources for each cluster:

  • Pod
  • Namespace
  • Service account
  • Network policy
  • Endpoints

Audit logs in Manager UI

Like Calico Enterprise audit logs, Kubernetes audit logs are displayed in Manager UI in the Timeline dashboard, Kibana dashboard (indexed by, tigera_secure_ee_audit_kube), and provide the core data for compliance reports.

Before you begin

Unsupported

  • AKS
  • GKE
  • OpenShift
  • TKG

How to

Enable Kubernetes audit logs in the Kubernetes API server:

Enable audit logs for Kubernetes resources

At a minimum, enable audit logs for these resources that are involved in network policy:

  • Pod
  • Namespace
  • ServiceAccount
  • NetworkPolicy (Kubernetes/OpenShift)
  • Endpoints

Sample policy

The following sample policy audits changes to Kubernetes Pod, Namespace, ServiceAccount, Endpoints and NetworkPolicy resources. To add other audit logs for resources beyond network policy, see the Kubernetes docs, or review this function for inspiration (which generates the GKE audit policy).

apiVersion: audit.k8s.io/v1beta1
kind: Policy
omitStages:
- RequestReceived
rules:
- level: RequestResponse
verbs:
- create
- patch
- update
- delete
resources:
- group: networking.k8s.io
resources: ['networkpolicies']
- group: extensions
resources: ['networkpolicies']
- group: ''
resources: ['pods', 'namespaces', 'serviceaccounts', 'endpoints']

Enable Kubernetes audit logs for Calico Enterprise

The following updates require a restart to the Kubernetes API Server.

To enable Kubernetes resource audit logs to be read by Calico Enterprise in fluentd, follow these steps.

On the Kubernetes API Server, update these flags.

  • --audit-log-path=/var/log/calico/audit/kube-audit.log
  • --audit-policy-file=<path to file containing audit policy above>
    For help with flags, see kube-apiserver flags. For help with audit logging, see Kubernetes audit logging documentation.

Distribute the audit policy file to all control plane nodes, ensuring that it is available to the Kubernetes API server (e.g. by volume mounting it into the pods).

Restart the Kubernetes API server. The restart command depends on how you installed Kubernetes.