Kubernetes Audit Logging

Kubernetes log integration enables Sysdig Secure to use Kubernetes audit log data in the Events feed and the Activity Audit.

The integration allows auditing of:

  • Creation and destruction of pods, services, deployments, daemon sets, etc.

  • Creating/updating/removing config maps or secrets

  • Attempts to subscribe to changes to any endpoint

Prerequisite

  • Install using either a Helm chart or a platform-specific installation procedure. Ensure that the features.k8sAuditDetections is set to true (default value) to enable the feature.

View Results in the UI

When Kubernetes audit logging is installed/enabled, default audit policy(ies) included out of the box are active and policy violations are visible in the:

  • Events Feed

    In the Sysdig Secure UI, select Events, filter for Runtime Policies, and check for one of the Kubernetes Audit Policy names, such as Sysdig K8s Notable Events.

  • Activity Audit

    In the Sysdig Secure UI, select Investigate > Activity Audit and filter for Kubernetes.

Manage Relevant Policies and Rules

Review Kubernetes Audit Policies

  1. Log in to Sysdig Secure and select Policies > Threat Detection |Runtime Policies.

  2. Select Kubernetes Audit from the Policies list.

    The default managed policies and any additional custom policies are displayed.

  3. You can:

    • Enable/disable existing policies
    • Create a custom Kubernetes audit policy For more information, see Create policies.

Review Default Audit Logging Rules

The Kubernetes audit logging rules can be viewed in the Sysdig Policies Rules Editor, found in the Policies module. To view the audit rules:

  1. Log in to Sysdig Secure and select Policies > Rules Editor.

  2. Open the drop-down menu for the default rules, and select k8s_audit_rules.yaml.

Modify Default Audit Logging Rules

If you don’t want to detect some resources within your Kubernetes cluser, you can create your custom rules.

To achieve this, you can change the k8sAuditDetectionsRules variable in the values.yaml file. For example, if you want to filter out secrets from the admission controller you can use the following rules:

- apiGroups:
  - ""
  apiVersions: [ "*" ]
  operations: [ "*" ]
  resources:
  - bindings
  - componentstatuses
  - configmaps
  - endpoints
  - events
  - limitranges
  - namespaces
  - nodes
  - persistentvolumeclaims
  - persistentvolumes
  - pods/*
  - podtemplates
  - replicationcontrollers
  - resourcequotas
  - serviceaccounts
  - services
  scope: "*"
- apiGroups:
  - apps
  - autoscaling
  - batch
  - networking.k8s.io
  - rbac.authorization.k8s.io
  - extensions
  apiVersions: [ "*" ]
  operations: [ "*" ]
  resources: [ "*/*" ]
  scope: "*"

See Install Kubernetes Audit Logging for more information on using the helm chart to apply the changes.