Skip to content

Extension Shoot Kubernetes Audit Logs

The Gardener Kubernetes Audit Log Extension exposes API-Server audit events generated by the Shoot cluster. When enabled, the logs are available on the Shoot controlplane. Logs could be transmitted to logs aggregator or SIEM supported by Fluentbit. In order to setup transmission of logs, please contact OSC support.

Steps to enable Extension Shoot Kubernetes Audit Logs

Prerequisites

  • access to OSC Garden cluster
  • sufficient rights inside project namespace to manipulate configmaps and shoots

To enable the Gardener Audit Log extension, the following steps are required:

Step 1. Audit Policy Configuration

Begin by creating a ConfigMap containing the audit policy and then applying into your project namespace on the Garden cluster. In the example below, we assume that the namespace of our project is named garden-dev:

apiVersion: v1
kind: ConfigMap
metadata:
  name: auditpolicy
  namespace: garden-dev    # change it to your project namespace, e.g., garden-<my-project-name>
data:
  policy: |-
    apiVersion: audit.k8s.io/v1
    kind: Policy
    omitStages:
      - "RequestReceived"
    rules:
      # Log events for users starting with 'oidc:' for groups
      - level: Metadata
        userGroups:
          - "oidc:offline_access"

      # Log cluster-admin
      - level: Metadata
        users:
          - "system:cluster-admin"

      # Exclude logging for specific user groups
      - level: None
        userGroups:
          - "system:nodes"
          - "system:serviceaccounts:*"

      # Exclude specific non-resource URLs
      - level: None
        nonResourceURLs:
        - "/api*" # Wildcard matching.
        - "/version"
        - "/healthz"
        - "/readyz"

      # Exclude specific resource groups
      - level: None
        resources:
        - group: "coordination.k8s.io"
        - group: ""
          resources: ["events"]

Step 2. Enable the Gardener Audit Extension

In your shoot configuration, enable the extension and set the auditPolicy for the Kubernetes API server as shown in the following example. There are under spec.extensions resp. kubernetes.kubeAPIServer settings which could be copied to your shoot manifest.

  extensions:
    - type: audit
      providerConfig:
        apiVersion: audit.metal.extensions.gardener.cloud/v1alpha1
        kind: AuditConfig
        webhookMode: blocking
        backends:
          log:
            enabled: true
  .
  .
  .
  kubernetes:
    kubeAPIServer:
      auditConfig:
        auditPolicy:
          configMapRef:
            name: auditpolicy

Disabling globally enabled extensions

To disable extensions which are enabled by default, add the following snippet to the shoot manifest:

kind: Shoot
...
spec:
  extensions:
  - type: audit
    disabled: true
...