Audit policy in Managed Service for Kubernetes
An audit policy
Stages
Stage | Event generation point |
---|---|
RequestReceived |
Once the audit event handler receives a request. |
ResponseStarted |
After sending response headers but before sending the response body. |
ResponseComplete |
After sending the response body. |
Panic |
After critical errors occur. |
Levels
Level | Description |
---|---|
None |
Do not log any events. |
Metadata |
Log the event metadata, excluding the request or response body. |
Request |
Log the event metadata and request body without the response body. |
RequestResponse |
Log the event metadata, request body, and response body. |
Audit policy files in Managed Service for Kubernetes
An audit policy file in Managed Service for Kubernetes looks as follows:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # Core.
resources: ["endpoints", "services", "services/status"]
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- group: "" # Core.
resources: ["configmaps"]
- level: None
users: ["kubelet"] # Legacy kubelet identity.
verbs: ["get"]
resources:
- group: "" # Core.
resources: ["nodes", "nodes/status"]
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- group: "" # Core.
resources: ["nodes", "nodes/status"]
- level: None
users:
- system:kube-controller-manager
- system:kube-scheduler
- system:serviceaccount:kube-system:endpoint-controller
verbs: ["get", "update"]
namespaces: ["kube-system"]
resources:
- group: "" # Core.
resources: ["endpoints"]
- level: None
users: ["system:apiserver"]
verbs: ["get"]
resources:
- group: "" # Core.
resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
- level: None
users: ["cluster-autoscaler"]
verbs: ["get", "update"]
namespaces: ["kube-system"]
resources:
- group: "" # Core.
resources: ["configmaps", "endpoints"]
- level: None
users:
- system:kube-controller-manager
verbs: ["get", "list"]
resources:
- group: "metrics.k8s.io"
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
- level: None
resources:
- group: "" # Core.
resources: ["events"]
- level: Request
users: ["kubelet", "system:node-problem-detector", "system:serviceaccount:kube-system:node-problem-detector"]
verbs: ["update","patch"]
resources:
- group: "" # Core.
resources: ["nodes/status", "pods/status"]
omitStages:
- "RequestReceived"
- level: Request
userGroups: ["system:nodes"]
verbs: ["update","patch"]
resources:
- group: "" # Core.
resources: ["nodes/status", "pods/status"]
omitStages:
- "RequestReceived"
- level: Request
users: ["system:serviceaccount:kube-system:namespace-controller"]
verbs: ["deletecollection"]
omitStages:
- "RequestReceived"
- level: Metadata
resources:
- group: "" # Core.
resources: ["secrets", "configmaps", "serviceaccounts/token"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
omitStages:
- "RequestReceived"
- level: Request
verbs: ["get", "list", "watch"]
resources:
- group: "" # Core.
- group: "admissionregistration.k8s.io"
- group: "apiextensions.k8s.io"
- group: "apiregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "metrics.k8s.io"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "scheduling.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
omitStages:
- "RequestReceived"
- level: RequestResponse
resources:
- group: "" # Core.
- group: "admissionregistration.k8s.io"
- group: "apiextensions.k8s.io"
- group: "apiregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "metrics.k8s.io"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "scheduling.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
omitStages:
- "RequestReceived"
- level: Metadata
omitStages:
- "RequestReceived"
Descriptions of audit policy rules
Sample audit policy rules are given below.
None
level
Rule for the - level: None
users: ["kubelet"] # Legacy kubelet identity.
verbs: ["get"]
resources:
- group: "" # Core.
resources: ["nodes", "nodes/status"]
It means that event details should not be logged if the following conditions are true:
- A request is sent by the
kubelet
component from a Managed Service for Kubernetes cluster node. - The request type is
get
. - The request refers to the
nodes
ornodes/status
resources.
Metadata
level
Rule for the - level: Metadata
resources:
- group: "" # Core.
resources: ["secrets", "configmaps", "serviceaccounts/token"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
omitStages:
- "RequestReceived"
It means that the event metadata should be logged if the following conditions are true:
- The event does not match any of the previous rules in the audit policy.
- The request refers to the
secrets
,configmaps
,serviceaccounts/token
, ortokenreviews
resources. - The event is not part of the
RequestReceived
stage.
Request
level
Rule for the - level: Request
userGroups: ["system:nodes"]
verbs: ["update","patch"]
resources:
- group: "" # Core.
resources: ["nodes/status", "pods/status"]
omitStages:
- "RequestReceived"
It means that the event metadata and request body should be logged if the following conditions are true:
- The event does not match any of the previous rules in the audit policy.
- A request is sent by a component from the
system:nodes
group. - The request type is
update
orpatch
. - The request refers to the
nodes/status
orpods/status
resources. - The event is not part of the
RequestReceived
stage.
Request
level
Rule for the - level: Request
verbs: ["get", "list", "watch"]
resources:
- group: "" # Core.
- group: "admissionregistration.k8s.io"
- group: "apiextensions.k8s.io"
- group: "apiregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "metrics.k8s.io"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "scheduling.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
omitStages:
- "RequestReceived"
It means that the event metadata and request body should be logged if the following conditions are true:
- The event does not match any of the previous rules in the audit policy.
- The request type is
get
,list
, orwatch
. - The request belongs to a resource group from the list.
- The event is not part of the
RequestReceived
stage.
RequestResponse
level
Rule for the - level: RequestResponse
resources:
- group: "" # Core.
- group: "admissionregistration.k8s.io"
- group: "apiextensions.k8s.io"
- group: "apiregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "metrics.k8s.io"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "scheduling.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
omitStages:
- "RequestReceived"
It means that the event metadata, request body, and response body should be logged if the following conditions are true:
- The event does not match any of the previous rules in the audit policy.
- The request type is
create
,update
, ordelete
. This is not specified explicitly, but is clear from the fact that the rule does not apply to the previously specified request types:get
,list
, orwatch
. - The request belongs to a resource group from the list.
- The event is not part of the
RequestReceived
stage.
For more information about audit policies, see the Kubernetes documentation