Install Kubernetes Audit Logging

Kubernetes log integration enables Sysdig Secure to use Kubernetes audit log data for Falco Rules and activity audit.

The integration allows auditing of:

Creation and destruction of pods, services, deployments, and daemon sets
Creating/updating/removing config maps or secrets
Attempts to subscribe to changes to any endpoint

To enable the Kubernetes Audit Logging feature, use the admission-controller chart. The admission controller is in the process of being deprecated and replaced, however the Kubernetes Audit Logging feature is still supported.

Prerequisites

Installed Sysdig Components on Kubernetes using Helm
A Sysidg Secure API token
- Recommended: Set up a service account with minimal priviledge, such as a Standard role.
- Or: Use a custom role with the following permissions for Sysdig Secure:
  - Policies | policies = read

Deployment

Recommended: Replace helm install with helm upgrade --install.

To enable Kubernetes audit logging in your existing Sysdig Secure Helm install command, add the following flags:

 --set admissionController.sysdig.secureAPIToken=<my key>
 --set admissionController.enabled=true \
 --set admissionController.features.k8sAuditDetections=true \
 --set scanner.enabled=false

For additional configuration options, including on-premises, using a proxy etc., see the admission-controller readme.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.