How to enable Kube-apiserver Audit logs?
The audit log of the Kubernetes API Server (kube-apiserver) is an important component of Kubernetes security. It keeps track of all API server requests, including who initiated the request, what action was taken, and when it was completed. RKE2, Rancher's lightweight Kubernetes deployment, makes it simple to enable the kube-apiserver audit log. This article guides through the procedures to enable the kube-apiserver audit log in RKE2.
Step 1: Update the RKE2 Configuration File
The first step is to enable the audit log by updating the RKE2 config file. Accomplish this by executing the following command:
- echo "audit-policy-file: /etc/rancher/rke2/audit-policy.yaml" >> /etc/rancher/rke2/config.yaml
This command adds a new line to the RKE2 configuration file indicating the location of the audit policy file.
Step 2: Create an Audit Policy File
Create an audit policy file at the location specified in the RKE2 configuration file. Accomplish that by running the following command:
cat < /etc/rancher/rke2/audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
EOF
This command creates a new file named audit-policy.yaml in the /etc/rancher/rke2/ directory with the provided audit policy. The above policy only records metadata-level audit events, which include request and response metadata.
Step 3: Restart RKE2 Server
Restart the RKE2 server after creating the audit policy file to apply the modifications.
- systemctl restart rke2-server
Step 4: Monitor Audit Log
Finally, monitor the audit log by running the following command:
- tail -f /var/lib/rancher/rke2/server/logs/audit.log
This command tails the audit log file in real-time, displaying the latest audit events as they occur.