我的书签
添加书签
移除书签Viewing audit logs
Audit works at the API server level, logging all requests coming to the server. Each audit log contains the following information:
Example output for the Kubernetes API server:
You can view the logs for the OpenShift API server, Kubernetes API server, and OpenShift OAuth API server for each control plane node (also known as the master node).
Procedure
To view the audit logs:
View the OpenShift API server logs:
List the OpenShift API server logs that are available for each control plane node:
$ oc adm node-logs --role=master --path=openshift-apiserver/
Example output
ci-ln-m0wpfjb-f76d1-vnb5x-master-0 audit-2021-03-09T00-12-19.834.logci-ln-m0wpfjb-f76d1-vnb5x-master-0 audit.logci-ln-m0wpfjb-f76d1-vnb5x-master-1 audit-2021-03-09T00-11-49.835.logci-ln-m0wpfjb-f76d1-vnb5x-master-1 audit.logci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit-2021-03-09T00-13-00.128.logci-ln-m0wpfjb-f76d1-vnb5x-master-2 audit.log
View a specific OpenShift API server log by providing the node name and the log name:
$ oc adm node-logs <node_name> --path=openshift-apiserver/<log_name>
For example:
$ oc adm node-logs ci-ln-m0wpfjb-f76d1-vnb5x-master-0 --path=openshift-apiserver/audit-2021-03-09T00-12-19.834.log
Example output
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"381acf6d-5f30-4c7d-8175-c9c317ae5893","stage":"ResponseComplete","requestURI":"/metrics","verb":"get","user":{"username":"system:serviceaccount:openshift-monitoring:prometheus-k8s","uid":"825b60a0-3976-4861-a342-3b2b561e8f82","groups":["system:serviceaccounts","system:serviceaccounts:openshift-monitoring","system:authenticated"]},"sourceIPs":["10.129.2.6"],"userAgent":"Prometheus/2.23.0","responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-03-08T18:02:04.086545Z","stageTimestamp":"2021-03-08T18:02:04.107102Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"prometheus-k8s\" of ClusterRole \"prometheus-k8s\" to ServiceAccount \"prometheus-k8s/openshift-monitoring\""}}
View the OpenShift OAuth API server logs:
List the OpenShift OAuth API server logs that are available for each control plane node:
$ oc adm node-logs --role=master --path=oauth-apiserver/
Example output
View a specific OpenShift OAuth API server log by providing the node name and the log name:
$ oc adm node-logs <node_name> --path=oauth-apiserver/<log_name>
For example:
$ oc adm node-logs ci-ln-m0wpfjb-f76d1-vnb5x-master-0 --path=oauth-apiserver/audit-2021-03-09T13-06-26.128.log
Example output
You can use jq or another JSON parsing tool to filter the API server audit logs.
The amount of information logged to the API server audit logs is controlled by the audit log policy that is set. |
The following procedure provides examples of using jq to filter audit logs on control plane node node-1.example.com. See the jq Manual for detailed information on using jq.
Prerequisites
You have access to the cluster as a user with the
cluster-adminrole.You have installed
jq.
Procedure
Filter OpenShift API server audit logs by user:
$ oc adm node-logs node-1.example.com \--path=openshift-apiserver/audit.log \| jq 'select(.user.username == "myusername")'
Filter OpenShift API server audit logs by user agent:
$ oc adm node-logs node-1.example.com \--path=openshift-apiserver/audit.log \| jq 'select(.userAgent == "cluster-version-operator/v0.0.0 (linux/amd64) kubernetes/$Format")'
Filter Kubernetes API server audit logs by a certain API version and only output the user agent:
Filter OpenShift OAuth API server audit logs by excluding a verb:
$ oc adm node-logs node-1.example.com \--path=oauth-apiserver/audit.log \
