Auditing Rules

After you enable KubeSphere Auditing Logs, log in to the console with a user of platform-admin role. In CRDs on the Cluster Management page, enter rules.auditing.kubesphere.io in the search bar. Click the result Rule and you can see the two CRD rules.

Below are examples of part of the rules.

alerting-rule

apiVersion: auditing.kubesphere.io/v1alpha1
kind: Rule
metadata:
  labels:
    type: alerting
    workspace: system-workspace
  name: alerting-rule
spec:
  rules:
  - desc: all operator need to be audit
    list:
    - create
    - update
    - patch
    name: action
    type: list
  - condition: Verb in ${action}
    desc: audit the change of resource
    enable: true
    name: ResourceChange
    priority: INFO
    type: rule

When an auditing log matches a rule in archiving-rule and the rule priority is no less than archivingPriority, it will be stored for further use. When an auditing log matches a rule in alerting-rule, if the priority of the rule is less than alertingPriority, it will be stored for further use; otherwise it will generate an alert which will be sent to the user.

A Condition is a filtering expression that can use comparison operators (=, !=, <, <=, >, >=, contains, in, like, and regex) and can be combined using Boolean operators (and, or and not) and parentheses. Here are the supported filters.

Filter	Description
`Workspace`	The workspace where the audit event happens.
`Devops`	The DevOps project where the audit event happens.
`Level`	The level of auditing logs.
`RequestURI`	RequestURI is the request URI as sent by the client to a server.
`Verb`	The verb associated with the request.
`User.Username`	The name that uniquely identifies this user among all active users.
`User.Groups`	The names of groups this user is a part of.
`SourceIPs`	The source IP from where the request originated and intermediate proxies.
`ObjectRef.Resource`	The resource of the object associated with the request.
`ObjectRef.Namespace`	The namespace of the object associated with the request.
`ObjectRef.Name`	The name of the object associated with the request.
`ObjectRef.Subresource`	The subresource of the object associated with the request.
`ResponseStatus.code`	The suggested HTTP return code for the request.
`ResponseStatus.Status`	The status of the operation.
`RequestReceivedTimestamp`	The time the request reaches the apiserver.
`StageTimestamp`	The time the request reaches the current audit stage.

ObjectRef.Namespace = "test"

To match all logs in the namespaces that start with test:

To match all logs happening in the latest one hour:

RequestReceivedTimestamp >= "2020-06-12T09:23:28.359896Z" and RequestReceivedTimestamp <= "2020-06-12T10:23:28.359896Z"

Macro

A macro is a rule condition snippet that can be re-used inside rules and even other macros. Macros provide a way to name common patterns and factor out redundancies in rules. Here is an example of a macro.

apiVersion: auditing.kubesphere.io/v1alpha1
kind: Rule
  name: alerting-rule
  labels:
    workspace: system-workspace
    type: alerting
  rules:
  - name: pod
    type: macro
    desc: pod
    macro: ObjectRef.Resource="pods"

Note

A list is a collection of items that can be included in rules, macros, or other lists. Unlike rules and macros, lists cannot be parsed as filtering expressions. Here is an example of a list.

Alias

An alias is a short name of a filter field. It can be included in rules, macros, lists, and output strings. Here is an example of an alias.

apiVersion: auditing.kubesphere.io/v1alpha1
kind: Rule
metadata:
  name: alerting-rule
  labels:
    workspace: system-workspace
    type: alerting
spec:
  rules:
  - name: namespace
    type: alias
    desc: the alias of the resource namespace
    alias: ObjectRef.Namespace

The Output string is used to format the alerting message when an auditing log triggers an alert. The Output string can include lists and alias. Here is an example.

Output: ${user} ${verb} a HostNetwork Pod ${name} in ${namespace}.

Note