Open in app

Sign in

Write

Sign in

☸️ Kubernetes Security Auditing : Practical guide in 6 Steps

Mohamed BEN HASSINE ( teckbootcamps.com)
Cloud For Techies
Published in
4 min readJan 31, 2024

Kubernetes Auditing is an important security measure that can help you monitor and audit various activities in the cluster to ensure the security and compliance of the cluster.

This guide will take you step by step to implement the configuration and practical application of Kubernetes security auditing.

Step 1: Check if the Kubernetes cluster supports auditing

kubectl api-resources | grep audit

Check the supported audit policy versions in your Kubernetes cluster. Use the following command to list all supported API resource versions:

Step 2: Configure Kubernetes Audit Policy

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: Request
    resources:
      - '*'
    verbs:
      - create
      - update
      - delete
    userGroups:
      - system:authenticated
  - level: RequestResponse
    resources:
      - 'secrets'
    verbs:
      - '*'
    userGroups:
      - system:masters
  - level: Metadata
    resources:
      - '*'
    verbs:
      - get
      - list
  - level: None

Create an audit policy file /etc/kubernetes/audit-policy.yaml to define events and rules that need to be audited. For example, the following is a simple audit policy file:

Detailed description Rule 1:

  • level: Request: Defines the audit record level as Request, indicating that the detailed information of the request is recorded.
  • resources:: Contains all resources, using wildcards * to indicate that it is applicable to all resources.
  • verbs:: Specifies sensitive operations, here are create, update and delete.
  • userGroups:: Applies to all authenticated users

Rule 2:

  • verbs:: Use a wildcard * to indicate that it applies to all operations.
  • userGroups:: Applicable to system:masters user groups, indicating user groups with cluster administrator rights.

Rule 3:

  • level: Metadata: Defines the audit record level as Metadata, which means that only information about object metadata is recorded.
  • resources:: Use wildcard characters * to indicate that it applies to all resources.
  • verbs::get The sum operation is specified list .

Rule 4:

  • level: None: Defines the audit record level as None, which means no information will be recorded.

This illustration addresses the logging of requests and responses related to sensitive operations, such as monitoring all operations on resources by cluster administrators and capturing read operations on metadata for all resource objects.

It is crucial to tailor your audit strategy to align with the distinct requirements and compliance standards of your production environment. In an authentic production setting, configuring audit policies may necessitate more nuanced adjustments to ensure adherence to specific security standards and regulatory obligations.

Step 3: Verify Kubernetes Policy File

kubectl apply -f /etc/kubernetes/audit-policy.yaml --dry-run=client

Step 4: Enable Auditing of API Server

Edit the configuration file of the Kubernetes API Server (usually /etc/kubernetes/manifests/kube-apiserver.yaml) and add audit configuration.

Make sure the following parameters are added to kube-apiserver the section:

apiVersion: v1
kind: Pod
metadata:
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - <other-flags>
    - --audit-log-path=/var/log/kubernetes/audit.log
    - --audit-log-format=json
    - --audit-log-maxage=30
    - --audit-log-maxbackup=3
    - --audit-log-maxsize=100
    - --audit-policy-file=/etc/kubernetes/audit-policy.yaml
    volumeMounts:
    - mountPath: /var/log/kubernetes
      name: var-log-kubernetes
    - mountPath: /etc/kubernetes/audit-policy.yaml
      name: audit-policy
  volumes:
  - hostPath:
      path: /var/log/kubernetes
    name: var-log-kubernetes
  - hostPath:
      path: /etc/kubernetes/audit-policy.yaml
    name: audit-policy

Parameter Description:

  • --audit-log-path: The storage path of the audit log.
  • -audit-log-format=json : Specify the format of the audit log.
  • --audit-log-maxage: The maximum number of days to retain audit log files.
  • --audit-log-maxbackup: Maximum number of backups of audit log files.
  • --audit-log-maxsize: Maximum size of audit log files.
  • --audit-policy-file: Path to the audit policy file.

Step 5: Restart API Server

sudo systemctl restart kubelet

To apply the new audit configuration, you need to restart the API Server:

Step 6: View the Audit Log

cat /var/log/kubernetes/audit.log

The audit log will be recorded in the specified path. You can understand various operations and events in the cluster by viewing this file:

Practical application: monitoring sensitive operations

Using audit logs, you can monitor sensitive operations that occur in the cluster, such as Pod creation and deletion.

By analyzing audit logs, you can track specific user activities and identify potential security risks.

This will filter out all audit events that create Pods, helping you track Pod creation.

Practical application: abnormal behavior detection

cat /var/log/kubernetes/audit.log | grep "CreatePod"

The audit log records the detailed information of each request, including request parameters, user information, etc.

By analyzing logs, you can detect abnormal behavior, such as unusually frequent login attempts, privilege escalation, and more.

cat /var/log/kubernetes/audit.log | grep "LoginAttempt" | grep "Failure"

This will filter out all audit events for failed login attempts, helping you discover potential security risks in a timely manner.

🔥 SAVE 35% Now on Online Courses, Certifications, Bundles & IT Professional Programs : [ 2 Days Only — Offer ends Jan 31!. ]

Offer valid from Jan 29, 2024 — Jan 31, 2024..

Hurry Up: Offer valid from Jan 29, 2024 — Jan 31, 2024 ⏳

Use Code AWARD35 to Save 35% Now

GET CKAD VOUCHER $395 $257

GET CKA VOUCHER $395 $257

GET CKS VOUCHER $395 $257

Conclusion

By configuring and implementing Kubernetes security auditing, you can enhance your comprehension of and uphold the security posture of your cluster. Auditing is a crucial component in guaranteeing Kubernetes security, enabling you to promptly identify potential risks and implement appropriate measures.

This guide aims to assist you in effectively implementing and optimizing Kubernetes security auditing.

Check last Kubernetes Exams ( CKAD , CKA , CKS) Coupon Page to get discounts on certification registration.

If you are for Kubernetes certification, check out all certification guides here :

https://teckbootcamps.com/linux-foundation-coupons/

shsc

Originally published at https://teckbootcamps.com

Kubernetes

--

--

Mohamed BEN HASSINE ( teckbootcamps.com)
Cloud For Techies

Written by Mohamed BEN HASSINE ( teckbootcamps.com)

273 Followers
Editor for

GCP Cloud & Application Architect ( teckbootcamps.com)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams