Install Kubernetes Audit Logging

Kubernetes log integration enables Sysdig Secure to use Kubernetes audit log data for Falco Rules and activity audit.

The integration allows auditing of:

  • Creation and destruction of pods, services, deployments, and daemon sets
  • Creating/updating/removing config maps or secrets
  • Attempts to subscribe to changes to any endpoint

To enable the Kubernetes Audit Logging feature, use the admission-controller chart. The admission controller is in the process of being deprecated and replaced, however the Kubernetes Audit Logging feature is still supported.

Prerequisites

Deployment

  1. Recommended: Replace helm install with helm upgrade --install.

  2. To enable Kubernetes audit logging in your existing Sysdig Secure Helm install command, add the following flags:

     --set admissionController.sysdig.secureAPIToken=<my key>
     --set admissionController.enabled=true \
     --set admissionController.features.k8sAuditDetections=true \
     --set scanner.enabled=false
    
  3. For additional configuration options, including on-premises, using a proxy etc., see the admission-controller readme.