Sysdig Documentation

Kubernetes Audit Logging

Sysdig Secure allows users to create Falco security rules based on a stream of Kubernetes audit events, integrating Kubernetes audit logging with the Sysdig agent. This allows users to track changes made to the cluster, including:

  • Creation and destruction of pods, services, deployments, daemon sets, etc.

  • Creating/updating/removing config maps or secrets

  • Attempts to subscribe to changes to any endpoint

Prerequisites

These instructions assume that the Sysdig agent has already been deployed to the Kubernetes cluster. See Agent Installationfor details.

Sysdig supports Kubernetes audit logging for the following distributions:

  • Minikube 0.33.1 and later, using the default Virtualbox driver

  • Kops 1.11.0 and later, using AWS

Sysdig has tested and confirmed the Kubernetes audit logging processes for Minikube and Kops.

Instructions for configuring audit logging for additional Kubernetes distributions will be added as those instructions are tested and verified.

Enable Kubernetes Audit Logging

The steps to enable audit logging depend on the Kubernetes distribution being used.

  1. Clone / download the repository:https://github.com/falcosecurity/falco/tree/dev/examples/k8s_audit_config.

    The repository contains the following relevant files:

    • k8s_audit_config/audit-policy.yaml

    • k8s_audit_config/webhook-config.yaml.in

    • k8s_audit_config/enable-k8s-audit.sh

    For more information on configuring the audit events passed to the agent, refer to the Kubernetes documentation.

  2. Run the following command in the sysdig-cloud-scripts/k8s_audit_config directory to enter the necessary values in the webhook-config.yaml.in file:

    AGENT_SERVICE_CLUSTERIP=$(kubectl get service sysdig-agent -o=jsonpath={.spec.clusterIP}) envsubst < webhook-config.yaml.in > webhook-config.yaml
  3. Run the enable-k8s.sh script to enable audit log support on the API server:

    Minikube:

    bash ./enable-k8s-audit.sh minikube

    Kops:

    APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops

Audit Logging Policies

Policies will need to be created to use the new Falco Rules for Kubernetes audit logging. For information on creating policies, refer to the Policies documentation.

View Audit Logging Rules

The Kubernetes audit logging rules can be viewed in the Sysdig Policies Rules Editor, found in the Policies module. To view the audit rules:

  1. From the Policies module, navigate to the Rules Editor tab.

  2. Open the drop-down menu for the default rules, and select k8s_audit_rules.yaml:

    374669742.png

View Audit Events

Kubernetes audit events will now be routed to the Sysdig agent daemon set within the cluster.

Once the policies are created, the audit events will be able to be observed via the Sysdig Secure Policy Events module.