Skip to main content
Version: 2.0.0

Auditing Kubernetes with Zeron Integrations

Auditing Kubernetes with Zeron Integrations

To configure Kubernetes audit logging, we create an audit policy file to define events that the cluster will log. The policy also defines the amount of information that should be logged for each type of event. We proceed to create a webhook configuration file that specifies the webhook address where the audit events will be sent to. Finally, we apply the newly created audit policy and the webhook configuration to the cluster by modifying the Kubernetes API server configuration file.
The Kubernetes API server runs the Kubernetes API, which serves as the front end through which users interact with the Kubernetes cluster. We log all user requests to the Kubernetes API by adding the audit policy and webhook configuration to the API server.

1. Create a policy file

etc/kubernetes/audit-policy.yaml to log the events:

audit-policy.yaml
apiVersion: audit.k8s.io/v1 
kind: Policy
rules:
# Don’t log requests to the following API endpoints
- level: None
nonResourceURLs:
- '/healthz*'
- '/logs'
- '/metrics'
- '/swagger*'
- '/version'
# Limit requests containing tokens to Metadata level so the token is not included in the log
- level: Metadata
omitStages:
- RequestReceived
resources:
- group: authentication.k8s.io
resources:
- tokenreviews
# Extended audit of auth delegation
- level: RequestResponse
omitStages:
- RequestReceived
resources:
- group: authorization.k8s.io
resources:
- subjectaccessreviews
# Log changes to pods at RequestResponse level
- level: RequestResponse
omitStages:
- RequestReceived
resources:
# core API group; add third-party API services and your API services if needed
- group: ''
resources: ['pods']
verbs: ['create', 'patch', 'update', 'delete']
# Log everything else at Metadata level
- level: Metadata
omitStages:
- RequestReceived

2. Create a webhook configuration file

/etc/kubernetes/audit-webhook.yaml. Replace <zensor_server_ip> with the IP address PROVIDED TO YOU BY TEAM ZERON:

apiVersion: v1
kind: Config
preferences: {}
clusters:
- name: zensor-webhook
cluster:
insecure-skip-tls-verify: true
server: https://< zensor_server_ip>:8080
# kubeconfig files require a context. Provide one for the API server.
current-context: webhook
contexts:
- context:
cluster: zensor-webhook
user: kube-apiserver # Replace with name of API server if it’s different
name: webhook

3. Edit the Kubernetes API server configuration file

/etc/kubernetes/manifests/kube-apiserver.yaml and add the highlighted lines under the relevant sections :

...
spec:
containers:
- command:
- kube-apiserver
- --audit-policy-file=/etc/kubernetes/audit-policy.yaml
- --audit-webhook-config-file=/etc/kubernetes/audit-webhook.yaml
- --audit-webhook-batch-max-size=1
...
volumeMounts:
- mountPath: /etc/kubernetes/audit-policy.yaml
name: audit
readOnly: true
- mountPath: /etc/kubernetes/audit-webhook.yaml
name: audit-webhook
readOnly: true
...
volumes:
- hostPath:
path: /etc/kubernetes/audit-policy.yaml
type: File
name: audit
- hostPath:
path: /etc/kubernetes/audit-webhook.yaml
type: File
name: audit-webhook

4. Restart Kubelet to apply the changes:

systemctl restart kubelet