Page MenuHomePhabricator
Create Task
Maniphest T290020

Enable audit logging for kube-apiserver
Open, LowPublic
Actions

Description

We should evaluate and enable audit logging for the kube-apiserver. This would help to keep track of accidental manipulation of cluster objects or harmful operations.

We have to evaluate which resources and actions we want to log to keep the volume low. I would assume we don't want to log get and watch actions. Furthermore we have to think about how to access the audit log (logstash/elasticsearch or local only?).

More information:
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

This topic came up in https://phabricator.wikimedia.org/T251305 because with helm3 we may lose some reliability for audit capabilities.

As part of T273507: PodSecurityPolicies will be deprecated with Kubernetes 1.21 audit-logging support has been added to the puppet codebase along with a very simple logging policy that only logs actions modifying pod objects (because that's what was needed in that context). For a more generic approach we could look at the config GCE generates: https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh#L1113

Currently the kube-apiservers write audit logs (if enabled) to /var/log/kubernetes/audit.log, rotating after reaching 100MB

Details

SubjectRepoBranchLines +/-
k8s: Enable audit logging for all clustersoperations/puppetproduction+1 -2
kubernetes::master: Forward audit logs to kafkaoperations/puppetproduction+21 -5
k8s: Enable audit logging in staging-eqiadoperations/puppetproduction+1 -0
k8s/apiserver: Fix parameter syntax for --audit-log-maxsizeoperations/puppetproduction+2 -1
k8s/apiserver: Add option to configure audit loggingoperations/puppetproduction+59 -4
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT290020 Enable audit logging for kube-apiserver
 ResolvedJeltoT362634 ProbeDown (miscweb)

Event Timeline

Jelto created this task.Aug 30 2021, 4:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 30 2021, 4:39 PM
Jelto triaged this task as Low priority.Aug 30 2021, 4:39 PM
JMeybohm added a project: Prod-Kubernetes.Aug 30 2021, 4:45 PM
jijiki moved this task from Incoming 🐫 to 🙈🙉🙊Backlog on the serviceops board.Sep 28 2022, 2:20 PM
jijiki moved this task from 🙈🙉🙊Backlog to ⎈Kubernetes on the serviceops board.Dec 13 2022, 3:13 PM
JMeybohm mentioned this in T345892: Reduction of Secret-based Service Account Tokens.Sep 22 2023, 9:10 AM
JMeybohm renamed this task from Evaluate and enable audit logging for kubeapi-server to Evaluate and enable audit logging for kube-apiserver.Thu, Mar 28, 3:59 PM
gerritbot added a comment.Sat, Mar 30, 11:35 AM

Change #1015354 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] k8s/apiserver: Add option to configure audit logging

https://gerrit.wikimedia.org/r/1015354

gerritbot added a project: Patch-For-Review.Sat, Mar 30, 11:35 AM
gerritbot added a comment.Wed, Apr 3, 9:23 AM

Change #1015354 merged by JMeybohm:

[operations/puppet@production] k8s/apiserver: Add option to configure audit logging

https://gerrit.wikimedia.org/r/1015354

gerritbot added a comment.Wed, Apr 3, 9:33 AM

Change #1016721 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] k8s/apiserver: Fix parameter syntax for --audit-log-maxsize

https://gerrit.wikimedia.org/r/1016721

gerritbot added a comment.Wed, Apr 3, 9:35 AM

Change #1016721 merged by JMeybohm:

[operations/puppet@production] k8s/apiserver: Fix parameter syntax for --audit-log-maxsize

https://gerrit.wikimedia.org/r/1016721

gerritbot added a comment.Wed, Apr 3, 12:08 PM

Change #1016753 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] k8s: Enable audit logging in staging-eqiad

https://gerrit.wikimedia.org/r/1016753

JMeybohm updated the task description. (Show Details)Wed, Apr 3, 12:41 PM
gerritbot added a comment.Wed, Apr 3, 12:42 PM

Change #1016753 merged by JMeybohm:

[operations/puppet@production] k8s: Enable audit logging in staging-eqiad

https://gerrit.wikimedia.org/r/1016753

JMeybohm added a comment.Wed, Apr 3, 12:49 PM

Observability-Logging could you maybe advice on if/how/where we could potentially store these audit logs to make them more accessible?
They come as Json lines with the format specified in https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/#audit-k8s-io-v1-Event

JMeybohm added a project: Observability-Logging.Thu, Apr 11, 12:44 PM
JMeybohm updated the task description. (Show Details)Thu, Apr 11, 12:48 PM
gerritbot added a comment.Thu, Apr 11, 1:47 PM

Change #1019049 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] kubernetes::master: Forward audit logs to kafka

https://gerrit.wikimedia.org/r/1019049

colewhite subscribed.Thu, Apr 11, 3:37 PM

Per conversation, the team would like to explore the option of a custom index for k8s audit logs.

The process largely follows the pattern carved by w3creportingapi:

  1. Get these logs into Kafka (patch above)
  2. An index pattern template based on the event schema - example
  3. An OpenSearch output with a specific guard condition - example
  4. A Curator definition enforcing our retention policy - example
  5. An index pattern - to be configured in Dashboards UI when data in the new indexes has appeared in OpenSearch
lmata moved this task from Inbox to Radar on the Observability-Logging board.Thu, Apr 11, 4:20 PM
JMeybohm added a comment.EditedFri, Apr 12, 7:26 AM

Thanks! Elastic does maintain a audit_log integration at https://docs.elastic.co/integrations/kubernetes/audit-logs / https://github.com/elastic/integrations/tree/main/packages/kubernetes/data_stream/audit_logs - does that make things easier?

gerritbot added a comment.Fri, Apr 12, 7:29 AM

Change #1019049 merged by JMeybohm:

[operations/puppet@production] kubernetes::master: Forward audit logs to kafka

https://gerrit.wikimedia.org/r/1019049

JMeybohm added a comment.EditedFri, Apr 12, 7:55 AM

I've merged the attached patch and the logs are ingested into the logstash-k8s- index (https://logstash.wikimedia.org/app/discover#/view/7f276c90-f8a0-11ee-be54-8fd74c07934f). Unfortunately the event dates are off as the date of ingestion is used instead of a timestamp from the actual data. I suppose this is something that will be fixed by using a dedicated index

colewhite added a comment.Fri, Apr 12, 2:56 PM
In T290020#9709155, @JMeybohm wrote:

Thanks! Elastic does maintain a audit_log integration at https://docs.elastic.co/integrations/kubernetes/audit-logs / https://github.com/elastic/integrations/tree/main/packages/kubernetes/data_stream/audit_logs - does that make things easier?

Elastic Integrations aren't available to us in an OpenSearch world. However, the mapping data from that link would be useful if we choose to transform these logs to ECS and not use a dedicated index.

JMeybohm added a comment.Fri, Apr 12, 3:40 PM
In T290020#9710264, @colewhite wrote:

Elastic Integrations aren't available to us in an OpenSearch world. However, the mapping data from that link would be useful if we choose to transform these logs to ECS and not use a dedicated index.

Ok, I see.
I can not really gasp how much work it is to go with a dedicated index. The steps you outlined look pretty frightening tbh. - are those things you (as in Observability-Logging) can generate/provide?

JMeybohm renamed this task from Evaluate and enable audit logging for kube-apiserver to Enable audit logging for kube-apiserver.Fri, Apr 12, 7:39 PM
JMeybohm mentioned this in T273507: PodSecurityPolicies will be deprecated with Kubernetes 1.21.Fri, Apr 12, 7:42 PM
gerritbot added a comment.Tue, Apr 16, 9:46 AM

Change #1020186 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] k8s: Enable audit logging for all clusters

https://gerrit.wikimedia.org/r/1020186

gerritbot added a comment.Tue, Apr 16, 10:00 AM

Change #1020186 merged by JMeybohm:

[operations/puppet@production] k8s: Enable audit logging for all clusters

https://gerrit.wikimedia.org/r/1020186

Jelto added a subtask: T362634: ProbeDown (miscweb).Tue, Apr 16, 2:42 PM
Jelto closed subtask T362634: ProbeDown (miscweb) as Resolved.
Jelto mentioned this in T362634: ProbeDown (miscweb).
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL