Audit Logging

Kubernetes audit logging records all requests to the API server, providing a chronological record of who did what, when, and to which resources.

Audit Levels

The API server supports four audit levels, each capturing increasing detail:

• None: Do not log the event.
• Metadata: Log request metadata (user, timestamp, resource, verb) but not the request or response body.
• Request: Log metadata and the request body.
• RequestResponse: Log metadata, request body, and response body.

Audit Policy

An audit policy file defines which events to record and at what level:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  # Do not log read-only requests to endpoints
  - level: None
    resources:
      - group: ""
        resources: ["endpoints", "services"]
    verbs: ["get", "list", "watch"]

  # Log secret access with full request details
  - level: RequestResponse
    resources:
      - group: ""
        resources: ["secrets"]

  # Log all other requests at metadata level
  - level: Metadata
    omitStages:
      - RequestReceived

Log Backends

The API server supports two log backends:

# Log backend: writes audit events to a file
# Configure in kube-apiserver flags:
# --audit-policy-file=/etc/kubernetes/audit-policy.yaml
# --audit-log-path=/var/log/kubernetes/audit.log
# --audit-log-maxage=30
# --audit-log-maxbackup=10

# Webhook backend: sends events to an external service
# --audit-webhook-config-file=/etc/kubernetes/audit-webhook.yaml

Analyzing Audit Logs

# View recent audit events (if log backend is used)
kubectl logs -n kube-system kube-apiserver-master \
  | grep audit

# Check who accessed secrets recently
kubectl get events --field-selector reason=AuditEvent

# Inspect API server configuration for audit settings
kubectl describe pod kube-apiserver-master -n kube-system \
  | grep audit

Audit logs are essential for compliance, incident investigation, and detecting unauthorized access patterns.