Skip to main content
Version: 2.0.0

Auditing Kubernetes with Zeron Integrations

Auditing Kubernetes with Zeron Integrations

To configure Kubernetes audit logging, we create an audit policy file to define events that the cluster will log. The policy also defines the amount of information that should be logged for each type of event. We proceed to create a webhook configuration file that specifies the webhook address where the audit events will be sent to. Finally, we apply the newly created audit policy and the webhook configuration to the cluster by modifying the Kubernetes API server configuration file.
The Kubernetes API server runs the Kubernetes API, which serves as the front end through which users interact with the Kubernetes cluster. We log all user requests to the Kubernetes API by adding the audit policy and webhook configuration to the API server.

1. Create a policy file

etc/kubernetes/audit-policy.yaml to log the events:

audit-policy.yaml
apiVersion: audit.k8s.io/v1 
kind: Policy
rules:
    # Don’t log requests to the following API endpoints
    - level: None
      nonResourceURLs:
          - '/healthz*'
          - '/logs'
          - '/metrics'
          - '/swagger*'
          - '/version'
    # Limit requests containing tokens to Metadata level so the token is not included in the log
    - level: Metadata
      omitStages:
          - RequestReceived
      resources:
          - group: authentication.k8s.io
            resources:
                - tokenreviews
    # Extended audit of auth delegation 
    - level: RequestResponse
      omitStages:
          - RequestReceived 
      resources:
          - group: authorization.k8s.io
            resources: 
                - subjectaccessreviews 
    # Log changes to pods at RequestResponse level 
    - level: RequestResponse 
      omitStages:
          - RequestReceived
      resources:
          # core API group; add third-party API services and your API services if needed
          - group: ''
            resources: ['pods']
            verbs: ['create', 'patch', 'update', 'delete']
    # Log everything else at Metadata level 
    - level: Metadata
      omitStages:
          - RequestReceived

2. Create a webhook configuration file

/etc/kubernetes/audit-webhook.yaml. Replace <zensor_server_ip> with the IP address PROVIDED TO YOU BY TEAM ZERON:

apiVersion: v1
kind: Config
preferences: {}
clusters:
  - name: zensor-webhook
    cluster:
      insecure-skip-tls-verify: true
      server: https://< zensor_server_ip>:8080
# kubeconfig files require a context. Provide one for the API server.
current-context: webhook
contexts:
- context:
    cluster: zensor-webhook
    user: kube-apiserver # Replace with name of API server if it’s different
  name: webhook

3. Edit the Kubernetes API server configuration file

/etc/kubernetes/manifests/kube-apiserver.yaml and add the highlighted lines under the relevant sections : 

...
spec:
  containers:
  - command:
    - kube-apiserver
    - --audit-policy-file=/etc/kubernetes/audit-policy.yaml
    - --audit-webhook-config-file=/etc/kubernetes/audit-webhook.yaml
    - --audit-webhook-batch-max-size=1
...
    volumeMounts:
    - mountPath: /etc/kubernetes/audit-policy.yaml
      name: audit
      readOnly: true
    - mountPath: /etc/kubernetes/audit-webhook.yaml
      name: audit-webhook
      readOnly: true
...
  volumes:
  - hostPath:
      path: /etc/kubernetes/audit-policy.yaml
      type: File
    name: audit
  - hostPath:
      path: /etc/kubernetes/audit-webhook.yaml
      type: File
    name: audit-webhook

4. Restart Kubelet to apply the changes:

systemctl restart kubelet