Skip to main content

Risks

Development of audit log policies

Top security risks

Audit logging is a crucial aspect of Kubernetes security and operational management. It provides a detailed record of all requests made to the Kubernetes API server, enabling administrators to monitor and trace actions, detect security breaches, and comply with regulatory requirements. Developing comprehensive audit log policies ensures that critical events are captured and retained effectively.

Key Considerations for Audit Log Policies

  1. Scope: Define the scope of audit logging, including which events to capture and the granularity of logs.
  2. Retention: Determine how long audit logs should be retained based on organizational and regulatory requirements.
  3. Storage: Decide where audit logs will be stored, ensuring they are secure and accessible.
  4. Access Control: Implement access controls to ensure only authorized personnel can access and manage audit logs.
  5. Monitoring and Alerting: Set up monitoring and alerting for critical events captured in the audit logs.

Setting Up Audit Logging in Kubernetes

1. Enable Audit Logging

To enable audit logging, you need to configure the Kubernetes API server with the appropriate audit policy file and log file path.

  1. Create an Audit Policy File

An audit policy file defines which events are logged and at what level. Below is an example audit policy:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  resources:
  - group: ""
    resources: ["pods", "services", "namespaces"]
- level: Request
  users: ["admin"]
  verbs: ["create", "update", "patch", "delete"]
- level: None
  users: ["system:serviceaccount:kube-system:default"]
  verbs: ["get", "list", "watch"]
- level: RequestResponse
  resources:
  - group: ""
    resources: ["secrets"]
  omitStages:
  - "RequestReceived"
  1. Configure the API Server

Update the API server configuration to use the audit policy file and specify the log file path.

--audit-policy-file=/etc/kubernetes/audit-policy.yaml --audit-log-path=/var/log/kubernetes/audit.log --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100
  1. Deploy the Configuration

Ensure the audit policy file is placed in the specified directory and restart the API server to apply the configuration.

systemctl daemon-reload && systemctl restart kubelet
2. Define Retention Policies

Determine how long audit logs should be retained. This is typically based on regulatory requirements and organizational policies.

  1. Set Retention Parameters

Configure the API server with retention parameters to manage log file rotation and retention.

--audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100
  1. Archiving and Backup

Implement archiving and backup solutions to store audit logs for long-term retention. Use tools like AWS S3, Google Cloud Storage, or on-premise storage solutions.

# Example: Using a cron job to move logs to a backup location 0 0 * * * mv /var/log/kubernetes/audit.log /backup/location/audit-$(date +\%F).log
3. Secure Storage and Access Control

Ensure audit logs are stored securely and access is restricted to authorized personnel only.

  1. Secure Storage

Store audit logs in a secure location with appropriate permissions.

chmod 600 /var/log/kubernetes/audit.log
  1. Access Control

Use RBAC policies to control who can view and manage audit logs.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: kube-system
  name: audit-log-reader
rules:
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get", "list"]
  1. RoleBinding

Bind the role to a user or group.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-audit-logs
  namespace: kube-system
subjects:
- kind: User
  name: audit-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: audit-log-reader
  apiGroup: rbac.authorization.k8s.io
4. Monitoring and Alerting

Set up monitoring and alerting for critical events captured in the audit logs.

  1. Integrate with Logging Systems

Integrate audit logs with centralized logging systems like ELK Stack (Elasticsearch, Logstash, Kibana), Splunk, or Grafana.

# Example: Sending logs to Elasticsearch
filebeat.inputs:
- type: log
  paths:
    - /var/log/kubernetes/audit.log
output.elasticsearch:
  hosts: ["http://elasticsearch:9200"]
  index: "k8s-audit-logs-%{+yyyy.MM.dd}"
  1. Configure Alerts

Set up alerts for specific events using monitoring tools.

# Example: Alerting configuration in Prometheus
groups:
- name: KubernetesAuditLogs
  rules:
  - alert: HighPrivilegeAction
    expr: rate(kube_audit_event_count{verb="create", resource="secrets"}[1m]) > 1
    for: 5m
    labels:
      severity: critical
    annotations:
      summary: "High privilege action detected"
      description: "High privilege action ({{ $labels.verb }}) detected on resource {{ $labels.resource }} by user {{ $labels.user }}."

Example Audit Policy File

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  resources:
  - group: ""
    resources: ["pods", "services", "namespaces"]
- level: Request
  users: ["admin"]
  verbs: ["create", "update", "patch", "delete"]
- level: None
  users: ["system:serviceaccount:kube-system:default"]
  verbs: ["get", "list", "watch"]
- level: RequestResponse
  resources:
  - group: ""
    resources: ["secrets"]
  omitStages:
  - "RequestReceived"

Conclusion

Developing comprehensive audit log policies in Kubernetes is essential for security, compliance, and operational transparency. By enabling audit logging, defining retention policies, securing log storage, implementing access controls, and setting up monitoring and alerting, organizations can effectively manage and utilize audit logs to enhance their Kubernetes cluster's security and performance. Regularly reviewing and updating these policies ensures they remain aligned with organizational needs and regulatory requirements.

follow these measures