Audit policy in Managed Service for Kubernetes

Written by

Updated at November 1, 2023

Stages
Levels
Audit policy files in Managed Service for Kubernetes
- Descriptions of audit policy rules

An audit policy establishes the rules that determine which events should be logged to an audit log and what data they should contain. Audit events are generated by requests to the Kubernetes API server at each stage of their execution. The audit policy rules are applied one by one. The first rule corresponding to the event sets the audit event level.

Stages

Stage	Event generation point
`RequestReceived`	Once the audit event handler receives a request.
`ResponseStarted`	After sending response headers but before sending the response body.
`ResponseComplete`	After sending the response body.
`Panic`	After critical errors occur.

Levels

Level	Description
`None`	Do not log any events.
`Metadata`	Log the event metadata, excluding the request or response body.
`Request`	Log the event metadata and request body without the response body.
`RequestResponse`	Log the event metadata, request body, and response body.

Audit policy files in Managed Service for Kubernetes

An audit policy file in Managed Service for Kubernetes looks as follows:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
      - group: "" # Core.
        resources: ["endpoints", "services", "services/status"]
  - level: None
    users: ["system:unsecured"]
    namespaces: ["kube-system"]
    verbs: ["get"]
    resources:
      - group: "" # Core.
        resources: ["configmaps"]
  - level: None
    users: ["kubelet"] # Legacy kubelet identity.
    verbs: ["get"]
    resources:
      - group: "" # Core.
        resources: ["nodes", "nodes/status"]
  - level: None
    userGroups: ["system:nodes"]
    verbs: ["get"]
    resources:
      - group: "" # Core.
        resources: ["nodes", "nodes/status"]
  - level: None
    users:
      - system:kube-controller-manager
      - system:kube-scheduler
      - system:serviceaccount:kube-system:endpoint-controller
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # Core.
        resources: ["endpoints"]
  - level: None
    users: ["system:apiserver"]
    verbs: ["get"]
    resources:
      - group: "" # Core.
        resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
  - level: None
    users: ["cluster-autoscaler"]
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # Core.
        resources: ["configmaps", "endpoints"]
  - level: None
    users:
      - system:kube-controller-manager
    verbs: ["get", "list"]
    resources:
      - group: "metrics.k8s.io"
  - level: None
    nonResourceURLs:
      - /healthz*
      - /version
      - /swagger*
  - level: None
    resources:
      - group: "" # Core.
        resources: ["events"]
  - level: Request
    users: ["kubelet", "system:node-problem-detector", "system:serviceaccount:kube-system:node-problem-detector"]
    verbs: ["update","patch"]
    resources:
      - group: "" # Core.
        resources: ["nodes/status", "pods/status"]
    omitStages:
      - "RequestReceived"
  - level: Request
    userGroups: ["system:nodes"]
    verbs: ["update","patch"]
    resources:
      - group: "" # Core.
        resources: ["nodes/status", "pods/status"]
    omitStages:
      - "RequestReceived"
  - level: Request
    users: ["system:serviceaccount:kube-system:namespace-controller"]
    verbs: ["deletecollection"]
    omitStages:
      - "RequestReceived"
  - level: Metadata
    resources:
      - group: "" # Core.
        resources: ["secrets", "configmaps", "serviceaccounts/token"]
      - group: authentication.k8s.io
        resources: ["tokenreviews"]
    omitStages:
      - "RequestReceived"
  - level: Request
    verbs: ["get", "list", "watch"]
    resources:
      - group: "" # Core.
      - group: "admissionregistration.k8s.io"
      - group: "apiextensions.k8s.io"
      - group: "apiregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "metrics.k8s.io"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "scheduling.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
    omitStages:
      - "RequestReceived"
  - level: RequestResponse
    resources:
      - group: "" # Core.
      - group: "admissionregistration.k8s.io"
      - group: "apiextensions.k8s.io"
      - group: "apiregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "metrics.k8s.io"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "scheduling.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
    omitStages:
      - "RequestReceived"
  - level: Metadata
    omitStages:
      - "RequestReceived"

Descriptions of audit policy rules

Sample audit policy rules are given below.

Rule for the `None`level

- level: None
  users: ["kubelet"] # Legacy kubelet identity.
  verbs: ["get"]
  resources:
    - group: "" # Core.
      resources: ["nodes", "nodes/status"]

It means that event details should not be logged if the following conditions are true:

A request is sent by the kubelet component from a Managed Service for Kubernetes cluster node.
The request type is get.
The request refers to the nodes or nodes/status resources.

Rule for the `Metadata`level

- level: Metadata
  resources:
    - group: "" # Core.
      resources: ["secrets", "configmaps", "serviceaccounts/token"]
    - group: authentication.k8s.io
      resources: ["tokenreviews"]
  omitStages:
    - "RequestReceived"

It means that the event metadata should be logged if the following conditions are true:

The event does not match any of the previous rules in the audit policy.
The request refers to the secrets, configmaps, serviceaccounts/token, or tokenreviews resources.
The event is not part of the RequestReceived stage.

Rule for the `Request`level

- level: Request
  userGroups: ["system:nodes"]
  verbs: ["update","patch"]
  resources:
    - group: "" # Core.
      resources: ["nodes/status", "pods/status"]
  omitStages:
    - "RequestReceived"

It means that the event metadata and request body should be logged if the following conditions are true:

The event does not match any of the previous rules in the audit policy.
A request is sent by a component from the system:nodes group.
The request type is update or patch.
The request refers to the nodes/status or pods/status resources.
The event is not part of the RequestReceived stage.

Rule for the `Request`level

- level: Request
  verbs: ["get", "list", "watch"]
  resources:
    - group: "" # Core.
    - group: "admissionregistration.k8s.io"
    - group: "apiextensions.k8s.io"
    - group: "apiregistration.k8s.io"
    - group: "apps"
    - group: "authentication.k8s.io"
    - group: "authorization.k8s.io"
    - group: "autoscaling"
    - group: "batch"
    - group: "certificates.k8s.io"
    - group: "extensions"
    - group: "metrics.k8s.io"
    - group: "networking.k8s.io"
    - group: "policy"
    - group: "rbac.authorization.k8s.io"
    - group: "scheduling.k8s.io"
    - group: "settings.k8s.io"
    - group: "storage.k8s.io"
  omitStages:
    - "RequestReceived"

It means that the event metadata and request body should be logged if the following conditions are true:

The event does not match any of the previous rules in the audit policy.
The request type is get, list, or watch.
The request belongs to a resource group from the list.
The event is not part of the RequestReceived stage.

Rule for the `RequestResponse`level

- level: RequestResponse
  resources:
    - group: "" # Core.
    - group: "admissionregistration.k8s.io"
    - group: "apiextensions.k8s.io"
    - group: "apiregistration.k8s.io"
    - group: "apps"
    - group: "authentication.k8s.io"
    - group: "authorization.k8s.io"
    - group: "autoscaling"
    - group: "batch"
    - group: "certificates.k8s.io"
    - group: "extensions"
    - group: "metrics.k8s.io"
    - group: "networking.k8s.io"
    - group: "policy"
    - group: "rbac.authorization.k8s.io"
    - group: "scheduling.k8s.io"
    - group: "settings.k8s.io"
    - group: "storage.k8s.io"
  omitStages:
    - "RequestReceived"

It means that the event metadata, request body, and response body should be logged if the following conditions are true:

The event does not match any of the previous rules in the audit policy.
The request type is create, update, or delete. This is not specified explicitly, but is clear from the fact that the rule does not apply to the previously specified request types: get, list, or watch.
The request belongs to a resource group from the list.
The event is not part of the RequestReceived stage.

For more information about audit policies, see the Kubernetes documentation.

Audit policy in Managed Service for Kubernetes

StagesStages

LevelsLevels

Audit policy files in Managed Service for KubernetesAudit policy files in Managed Service for Kubernetes

Descriptions of audit policy rulesDescriptions of audit policy rules

Rule for the levelRule for the Nonelevel

Rule for the levelRule for the Metadatalevel

Rule for the levelRule for the Requestlevel

Rule for the levelRule for the Requestlevel

Rule for the levelRule for the RequestResponselevel

Was the article helpful?

Stages

Levels

Audit policy files in Managed Service for Kubernetes

Descriptions of audit policy rules

Rule for the `None`level

Rule for the `Metadata`level

Rule for the `Request`level

Rule for the `Request`level

Rule for the `RequestResponse`level