Auditing is a great threat detecting mechanism which is important to leverage security to high maturity level
In this writing, We explore in simple way how we can get benefit from Kubernetes Audits and how we can make it optimized ?
Based on Kubernetes Official Documentation, It says “Kubernetes Auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster.”, by answering these following questions:
- What happened?
- When did it happen?
- Who initiated it?
- On what did it happen?
Each Request to the API server is recorded in a specific stage, These stages are the below :
RequestReceived: The stage for events generated as soon as the audit handler receives the request, and before it is delegated down the handler chain
ResponseStarted: Once the response headers are sent, but before the response body is sent. This stage is only generated for long-running requests (e.g. watch)
ResponseComplete: The response body has been completed and no more bytes will be sent
Panic: Events generated when a panic occurred
How it works ?
- First, Audit feature is disabled by default, To enable it, We have to pass specific parameters to the API server configurations, and then create an Audit Policy using Yaml definition, As described here with example https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#audit-policy
- Second, The API Config parameters differ based on the Audit Backend
Types of Audit Backend:
The API Server provides two backends to send logs and these are the following:
- Log Backend: writes events into the filesystem
- Webhook backend: sends events to an external HTTP API
So according to the needed backend we specify the parameters passed to the API server
So now we explore the second type of Audit Backend which is posting the logs to a Webhook API using Golang
The benefit of implementing an API which accepts POST request from Kubernetes API server are :
- Getting rid of Log Backend limitation ( As it is in a local file system )
- Possibility to insert these audit logs in a SIEM solution for example with ease than local log backend
in this example we choose to send it as a kind of alert to Slack and the Go code can be found here https://github.com/AlyRagab/kubernetes-audit-log/blob/main/main.go
The main thing here is there will be an endpoint which accepts Post as /webhook and we configured the policy to know this information as HERE and HERE
