Skip to content

enable native kubernetes audit logging on master nodes for cern-magnum clusters

Falco provides integration to read directly from native kubernetes audit logs, however as this is not setup already in mangum I have manually modified the master node to configure when testing out falco.

Add the following files to master nodes:

# /etc/kubernetes/audit-policies/policy.yaml
# ref: https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
  - "RequestReceived"
rules:
  - level: RequestResponse
    resources:
    - group: ""
      resources: ["pods"]
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]

  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]

  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]

  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"

  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    namespaces: ["kube-system"]

  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["secrets", "configmaps"]

  - level: Request
    resources:
    - group: "" # core API group
    - group: "extensions" # Version of group should NOT be included.

  - level: Metadata
    # Long-running requests like watches that fall under this rule will not
    # generate an audit event in RequestReceived.
    omitStages:
      - "RequestReceived"
---
# /etc/kubernetes/webhook-config.yaml
apiVersion: v1
kind: Config
clusters:
  - name: k8s-audit
    cluster:
      # certificate-authority: /path/to/ca.crt # for https
      server: http://localhost:30007/k8s-audit
contexts:
  - context:
      cluster: k8s-audit
      user: ""
    name: default-context
current-context: default-context
preferences: {}
users: []

Add the following flags kube-apiserver config:

-audit-log-path=-
--audit-policy-file=/etc/kubernetes/audit-policies/policy.yaml
--audit-webhook-config-file=/etc/kubernetes/webhook-config.yaml