enable native kubernetes audit logging on master nodes for cern-magnum clusters
Falco provides integration to read directly from native kubernetes audit logs, however as this is not setup already in mangum
I have manually modified the master node to configure when testing out falco.
Add the following files to master nodes:
# /etc/kubernetes/audit-policies/policy.yaml
# ref: https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
- "RequestReceived"
rules:
- level: RequestResponse
resources:
- group: ""
resources: ["pods"]
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
namespaces: ["kube-system"]
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
---
# /etc/kubernetes/webhook-config.yaml
apiVersion: v1
kind: Config
clusters:
- name: k8s-audit
cluster:
# certificate-authority: /path/to/ca.crt # for https
server: http://localhost:30007/k8s-audit
contexts:
- context:
cluster: k8s-audit
user: ""
name: default-context
current-context: default-context
preferences: {}
users: []
Add the following flags kube-apiserver config:
-audit-log-path=-
--audit-policy-file=/etc/kubernetes/audit-policies/policy.yaml
--audit-webhook-config-file=/etc/kubernetes/webhook-config.yaml