Getting Kubernetes auditing right is an important part of a secure and scalable enterprise grade Kubernetes setup!

Auditing is an essential administrative input to understand the way a system is affected or being used. An audit trail is a log of the sequence of chronological events that occurred on a system. It helps administrators understand what event occurred, when did it take place and the trigger or the source of the event. It is also a compliance or legal requirement for many businesses and so an important part of IT systems. In this tutorial, we will look at how to do auditing in Kubernetes.

Introduction

A simple example of an audit log in the context of Kubernetes would be read as

An Nginx pod (podname) was scheduled on a node(nodename) by a service account(serviceaccountname). The statement above helps an administrator or a developer understand the intent of the event (a pod being scheduled), the object in question (the Nginx pod), the affecting system, (the node) and, the actor which was the serviceaccount.

An audit trail would be an effective input to help debug issues, fine-tune permissions, understand the way the system is being used and maybe write dynamic webhooks by looking at the audit logs to further tighten what can be done based on the knowledge of these usage patterns. Let us look at the way Kubernetes auditing is enabled and dive deeper at the actors in play here. Working on Kubernetes objects eventually means using the Kubernetes REST API, which is either via kubectl or via the Kubernetes client libraries. Hence, all the auditing is performed by the kubeapiserver by enabling options for auditing.

#security #kubernetes #cloud security #auditing #operation #kubernetes audit