Contact UsGet started

Audit policy in Managed Service for Kubernetes

Written by
Updated at January 20, 2025

An audit policy establishes the rules that determine which events should be logged to an audit log and what data they should contain. Audit events are generated by requests to the Kubernetes API server at each stage of their execution. The audit policy rules are applied one by one. The first rule corresponding to the event sets the audit event level.

Stages

Stage Event generation point
RequestReceived Once the audit event handler receives a request.
ResponseStarted After sending response headers but before sending the response body.
ResponseComplete After sending the response body.
Panic After critical errors occur.

Levels

Level Description
None Do not log any events.
Metadata Log the event metadata, excluding the request or response body.
Request Log the event metadata and request body without the response body.
RequestResponse Log the event metadata, request body, and response body.

Audit policy files in Managed Service for Kubernetes

An audit policy file in Managed Service for Kubernetes looks as follows:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
      - group: "" # Core.
        resources: ["endpoints", "services", "services/status"]
  - level: None
    users: ["system:unsecured"]
    namespaces: ["kube-system"]
    verbs: ["get"]
    resources:
      - group: "" # Core.
        resources: ["configmaps"]
  - level: None
    users: ["kubelet"] # Legacy kubelet identity.
    verbs: ["get"]
    resources:
      - group: "" # Core.
        resources: ["nodes", "nodes/status"]
  - level: None
    userGroups: ["system:nodes"]
    verbs: ["get"]
    resources:
      - group: "" # Core.
        resources: ["nodes", "nodes/status"]
  - level: None
    users:
      - system:kube-controller-manager
      - system:kube-scheduler
      - system:serviceaccount:kube-system:endpoint-controller
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # Core.
        resources: ["endpoints"]
  - level: None
    users: ["system:apiserver"]
    verbs: ["get"]
    resources:
      - group: "" # Core.
        resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
  - level: None
    users: ["cluster-autoscaler"]
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # Core.
        resources: ["configmaps", "endpoints"]
  - level: None
    users:
      - system:kube-controller-manager
    verbs: ["get", "list"]
    resources:
      - group: "metrics.k8s.io"
  - level: None
    nonResourceURLs:
      - /healthz*
      - /version
      - /swagger*
  - level: None
    resources:
      - group: "" # Core.
        resources: ["events"]
  - level: Request
    users: ["kubelet", "system:node-problem-detector", "system:serviceaccount:kube-system:node-problem-detector"]
    verbs: ["update","patch"]
    resources:
      - group: "" # Core.
        resources: ["nodes/status", "pods/status"]
    omitStages:
      - "RequestReceived"
  - level: Request
    userGroups: ["system:nodes"]
    verbs: ["update","patch"]
    resources:
      - group: "" # Core.
        resources: ["nodes/status", "pods/status"]
    omitStages:
      - "RequestReceived"
  - level: Request
    users: ["system:serviceaccount:kube-system:namespace-controller"]
    verbs: ["deletecollection"]
    omitStages:
      - "RequestReceived"
  - level: Metadata
    resources:
      - group: "" # Core.
        resources: ["secrets", "configmaps", "serviceaccounts/token"]
      - group: authentication.k8s.io
        resources: ["tokenreviews"]
    omitStages:
      - "RequestReceived"
  - level: Request
    verbs: ["get", "list", "watch"]
    resources:
      - group: "" # Core.
      - group: "admissionregistration.k8s.io"
      - group: "apiextensions.k8s.io"
      - group: "apiregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "metrics.k8s.io"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "scheduling.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
    omitStages:
      - "RequestReceived"
  - level: RequestResponse
    resources:
      - group: "" # Core.
      - group: "admissionregistration.k8s.io"
      - group: "apiextensions.k8s.io"
      - group: "apiregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "metrics.k8s.io"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "scheduling.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
    omitStages:
      - "RequestReceived"
  - level: Metadata
    omitStages:
      - "RequestReceived"

Descriptions of audit policy rules

Sample audit policy rules are given below.

Rule for the None level

- level: None
  users: ["kubelet"] # Legacy kubelet identity.
  verbs: ["get"]
  resources:
    - group: "" # Core.
      resources: ["nodes", "nodes/status"]

It means that event details should not be logged if the following conditions are true:

Rule for the Metadata level

- level: Metadata
  resources:
    - group: "" # Core.
      resources: ["secrets", "configmaps", "serviceaccounts/token"]
    - group: authentication.k8s.io
      resources: ["tokenreviews"]
  omitStages:
    - "RequestReceived"

It means that the event metadata should be logged if the following conditions are true:

  • The event does not match any of the previous rules in the audit policy.
  • The request refers to the secrets, configmaps, serviceaccounts/token, or tokenreviews resources.
  • The event is not part of the RequestReceived stage.

Rule for the Request level

- level: Request
  userGroups: ["system:nodes"]
  verbs: ["update","patch"]
  resources:
    - group: "" # Core.
      resources: ["nodes/status", "pods/status"]
  omitStages:
    - "RequestReceived"

It means that the event metadata and request body should be logged if the following conditions are true:

  • The event does not match any of the previous rules in the audit policy.
  • A request is sent by a component from the system:nodes group.
  • The request type is update or patch.
  • The request refers to the nodes/status or pods/status resources.
  • The event is not part of the RequestReceived stage.

Rule for the Request level

- level: Request
  verbs: ["get", "list", "watch"]
  resources:
    - group: "" # Core.
    - group: "admissionregistration.k8s.io"
    - group: "apiextensions.k8s.io"
    - group: "apiregistration.k8s.io"
    - group: "apps"
    - group: "authentication.k8s.io"
    - group: "authorization.k8s.io"
    - group: "autoscaling"
    - group: "batch"
    - group: "certificates.k8s.io"
    - group: "extensions"
    - group: "metrics.k8s.io"
    - group: "networking.k8s.io"
    - group: "policy"
    - group: "rbac.authorization.k8s.io"
    - group: "scheduling.k8s.io"
    - group: "settings.k8s.io"
    - group: "storage.k8s.io"
  omitStages:
    - "RequestReceived"

It means that the event metadata and request body should be logged if the following conditions are true:

  • The event does not match any of the previous rules in the audit policy.
  • The request type is get, list, or watch.
  • The request belongs to a resource group from the list.
  • The event is not part of the RequestReceived stage.

Rule for the RequestResponse level

- level: RequestResponse
  resources:
    - group: "" # Core.
    - group: "admissionregistration.k8s.io"
    - group: "apiextensions.k8s.io"
    - group: "apiregistration.k8s.io"
    - group: "apps"
    - group: "authentication.k8s.io"
    - group: "authorization.k8s.io"
    - group: "autoscaling"
    - group: "batch"
    - group: "certificates.k8s.io"
    - group: "extensions"
    - group: "metrics.k8s.io"
    - group: "networking.k8s.io"
    - group: "policy"
    - group: "rbac.authorization.k8s.io"
    - group: "scheduling.k8s.io"
    - group: "settings.k8s.io"
    - group: "storage.k8s.io"
  omitStages:
    - "RequestReceived"

It means that the event metadata, request body, and response body should be logged if the following conditions are true:

  • The event does not match any of the previous rules in the audit policy.
  • The request type is create, update, or delete. This is not specified explicitly, but is clear from the fact that the rule does not apply to the previously specified request types: get, list, or watch.
  • The request belongs to a resource group from the list.
  • The event is not part of the RequestReceived stage.

For more information about audit policies, see the Kubernetes documentation.

Previous
Automatic scaling
Next
External cluster nodes