Receive and Customize Auditing Logs

    To enable auditing logs, see KubeSphere Auditing Logs.

    The KubeSphere Auditing Log system receives auditing logs only from KubeSphere by default, while it can also receive auditing logs from Kubernetes.

    Users can stop receiving auditing logs from KubeSphere by changing the value of in ConfigMap kubesphere-config in the namespace kubesphere-system using the following command:

    Change the value of auditing.enabled as false to stop receiving auditing logs from KubeSphere.

    1.   spec:
    2.     auditing:
    3.       enabled: false

    You need to restart the KubeSphere apiserver to make the changes effective.

    To make the KubeSphere Auditing Log system receive auditing logs from Kubernetes, you need to add a Kubernetes audit policy file and Kubernetes audit webhook config file to /etc/kubernetes/manifests/kube-apiserver.yaml as follows.

    1. apiVersion: v1
    2. kind: Pod
    3. metadata:
    4.   name: kube-apiserver
    5.   namespace: kube-system
    6. spec:
    7.   containers:
    8.   - command:
    9.     - kube-apiserver
    10.     - --audit-policy-file=/etc/kubernetes/audit/audit-policy.yaml
    11.     - --audit-webhook-config-file=/etc/kubernetes/audit/audit-webhook.yaml
    12.     volumeMounts:
    13.     - mountPath: /etc/kubernetes/audit
    14.       name: k8s-audit
    15.   volumes:
    16.   - hostPath:
    17.       path: /etc/kubernetes/audit
    18.       type: DirectoryOrCreate
    19.     name: k8s-audit

    This operation will restart the Kubernetes apiserver.

    The file audit-policy.yaml defines rules about what events should be recorded and what data they should include. You can use a minimal audit policy file to log all requests at the Metadata level:

    For more information about the audit policy, see .

    Audit webhook

    The file audit-webhook.yaml defines the webhook which the Kubernetes auditing logs will be sent to. Here is an example configuration of the Kube-Auditing webhook.

    1. apiVersion: v1
    2. kind: Config
    3. clusters:
    4. - name: kube-auditing
    5.   cluster:
    7.     insecure-skip-tls-verify: true
    8. contexts:
    9. - context:
    10.     cluster: kube-auditing
    11.     user: ""
    12.   name: default-context
    13. current-context: default-context
    14. preferences: {}
    15. users: []

    The ip is the CLUSTER-IP of Service kube-auditing-webhook-svc in the namespace kubesphere-logging-system. You can get it using this command.

    1. kubectl get svc -n kubesphere-logging-system

    Note

    Edit the CRD Webhook kube-auditing-webhook, and change the value of k8sAuditingEnabled to true through the following commands.

    1. spec:
    2.   auditing:

    Tip

    You can also use a user of platform-admin role to log in to the console, search Webhook in CRDs on the Cluster Management page, and edit kube-auditing-webhook directly.

    To stop receiving auditing logs from Kubernetes, remove the configuration of auditing webhook backend, then change the value of k8sAuditingEnabled to false.

    KubeSphere Auditing Log system provides a CRD Webhook kube-auditing-webhook to customize auditing logs. Here is an example yaml file:

    1. apiVersion: auditing.kubesphere.io/v1alpha1
    2. kind: Webhook
    3. metadata:
    4.   name: kube-auditing-webhook
    5. spec:
    6.   auditLevel: RequestResponse
    7.   auditSinkPolicy:
    8.     alertingRuleSelector:
    9.       matchLabels:
    11.     archivingRuleSelector:
    12.       matchLabels: 
    13.         type: persistence
    14.   image: kubesphere/kube-auditing-webhook:v0.1.0
    15.   archivingPriority: DEBUG
    16.   alertingPriority: WARNING
    17.   replicas: 2
    18.   receivers:
    19.     - name: alert
    20.       type: alertmanager
    21.       config:
    22.         service:
    23.           namespace: kubesphere-monitoring-system
    24.           port: 9093

    Note