Skip to main content


api requests --> k8s api --> audit logs

why do we need them?

  • check who accessed what
  • check what user x is doing
  • debugging apps or crds

can log according to audit STAGES, so more granular and not just logging EVERYTHING.


  • RequestReceived
  • ResponseStarted
  • ResponseComplete
  • Panic

you can set up "audit policy stages"

  • none
  • MetaData
  • Request

setup configure audit logs#

# on mastermkdir -p /etc/kubernetes/auditcd /etc/kubernetes/audit

add to kubeapi manifest to enable audit policy

spec:  containers:  - command:    - kube-apiserver    - --audit-policy-file=/etc/kubernetes/audit/policy.yaml       # add    - --audit-log-path=/etc/kubernetes/audit/logs/audit.log       # add    - --audit-log-maxsize=500                                     # add    - --audit-log-maxbackup=5                                     # add...    volumeMounts:    - mountPath: /etc/kubernetes/audit      # add      name: audit...  volumes:  - hostPath:                               # add      path: /etc/kubernetes/audit           # add      type: DirectoryOrCreate               # add    name: audit                             # add    

tail /etc/kuberenetes/audit/logs/audit.log to see the logged events.


make a policy that

  • ignores RequestReceived
  • ignores "get", "watch", "list"
  • from Secrets but only metadata level
  • everything else at RequestResponse level
apiVersion: # This is required.kind: Policy# Don't generate audit events for all requests in RequestReceived stage.omitStages:  - "RequestReceived"rules:  - level: None    verbs: ["get", "watch", "list"]
  - level: Metadata    resources:    - group: ""      resources: ["secrets"]
  - level: RequestResponse