Kubernetes Audit Logging
The integration allows auditing of:
Creation and destruction of pods, services, deployments, daemon sets, etc.
Creating/updating/removing config maps or secrets
Attempts to subscribe to changes to any endpoint
Prerequisite
- Install using either a Helm chart or a platform-specific installation procedure. Ensure that the
features.k8sAuditDetections
is set totrue
(default value) to enable the feature.
View Results in the UI
When Kubernetes audit logging is installed/enabled, default audit policies included out of the box are active and policy violations are visible in following locations:
Events Feed
In the Sysdig Secure UI, select Events, and check for one of the Kubernetes Audit Policy names, such as Sysdig K8s Notable Events.
In the Sysdig Secure UI, select Investigate > Activity Audit and filter for Kubernetes.
Manage Relevant Policies and Rules
Review Kubernetes Audit Policies
Log in to Sysdig Secure and select Policies > Threat Detection > Runtime Policies.
Open the Select policy type dropdown and choose Kubernetes Audit.
The default managed policies and any additional custom policies are displayed.
You can:
- Enable/disable existing policies
- Create a custom Kubernetes audit policy For more information, see Create policies.
Review Default Audit Logging Rules
The Kubernetes audit logging rules can be viewed in the Sysdig Policies Rules Editor, found in the Policies module. To view the audit rules:
Log in to Sysdig Secure and select Policies > Rules > Rules Editor.
Open the drop-down for the default rules, and select
k8s_audit_rules.yaml
.
Modify Default Audit Logging Rules
If you don’t want to detect some resources within your Kubernetes cluser, you can create your custom rules.
To achieve this, you can change the k8sAuditDetectionsRules
variable in the values.yaml file. For example, if you want to filter out secrets from the admission controller you can use the following rules:
- apiGroups:
- ""
apiVersions: [ "*" ]
operations: [ "*" ]
resources:
- bindings
- componentstatuses
- configmaps
- endpoints
- events
- limitranges
- namespaces
- nodes
- persistentvolumeclaims
- persistentvolumes
- pods/*
- podtemplates
- replicationcontrollers
- resourcequotas
- serviceaccounts
- services
scope: "*"
- apiGroups:
- apps
- autoscaling
- batch
- networking.k8s.io
- rbac.authorization.k8s.io
- extensions
apiVersions: [ "*" ]
operations: [ "*" ]
resources: [ "*/*" ]
scope: "*"
See Install Kubernetes Audit Logging for more information on using the helm chart to apply the changes.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.