Kubernetes 审计

    通过配置 kube-apiserver 的下列参数开启审计日志

    • audit-log-path:审计日志路径
    • audit-log-maxage:旧日志最长保留天数
    • audit-log-maxbackup:旧日志文件最多保留个数
    • audit-log-maxsize:日志文件最大大小(单位 MB),超过后自动做轮转(默认为 100MB)

    每条审计记录包括两行

    • 请求行包括:唯一 ID 和请求的元数据(如源 IP、用户名、请求资源等)
    • 响应行包括:唯一 ID(与请求 ID 一致)和响应的元数据(如 HTTP 状态码)

    v1.7 + 支持实验性的高级审计特性,可以自定义审计策略(选择记录哪些事件)和审计存储后端(日志和 webhook)等。开启方法为

    注意开启 AdvancedAuditing 后,日志的格式有一些修改,如新增了 stage 字段(包括 RequestReceived,ResponseStarted ,ResponseComplete,Panic 等)。

    其中,设计策略的配置格式为

    1. rules:
    2.   # Don't log watch requests by the"system:kube-proxy" on endpoints or services
    3.   - level: None
    4.     users: ["system:kube-proxy"]
    5.     verbs: ["watch"]
    6.     resources:
    7.     - group: "" # core API group
    8.       resources: ["endpoints", "services"]
    10.   # Don't log authenticated requests to certain non-resource URL paths.
    11.   - level: None
    12.     userGroups: ["system:authenticated"]
    13.     - "/api*" # Wildcard matching.
    14.     - "/version"
    16.   # Log the request body of configmap changes in kube-system.
    17.   - level: Request
    18.     resources:
    19.     - group: "" # core API group
    21.     # This rule only applies to resources in the "kube-system" namespace.
    22.     # The empty string "" can be used to select non-namespaced resources.
    23.     namespaces: ["kube-system"]
    25.   # Log configmap and secret changes in all other namespaces at the Metadata level.
    26.   - level: Metadata
    27.     resources:
    28.     - group: "" # core API group
    29.       resources: ["secrets", "configmaps"]
    31.   # Log all other resources in core and extensions at the Request level.
    32.   - level: Request
    33.     resources:
    34.     - group: "" # core API group
    35.     - group: "extensions" # Version of group should NOT be included.
    36.   # A catch-all rule to log all other requests at the Metadata level.
    37.   - level: Metadata

    在生产环境中,推荐参考 GCE 审计策略 配置。

    • 日志,配置 --audit-log-path 开启,格式为
    • webhook,配置 --audit-webhook-config-file=/etc/kubernetes/audit-webhook-kubeconfig --audit-webhook-mode=batch 开启,其中 audit-webhook-mode 支持 batch 和 blocking 两种格式,而 webhook 配置文件格式为
    2. clusters:
    3.   - name: name-of-remote-audit-service
    4.     cluster:
    5.       certificate-authority: /path/to/ca.pem  # CA for verifying the remote service.
    6.       server: https://audit.example.com/audit # URL of remote service to query. Must use 'https'.
    8. # users refers to the API server's webhook configuration.
    9. users:
    10.   - name: name-of-api-server
    11.     user:
    12.       client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
    13.       client-key: /path/to/key.pem          # key matching the cert
    15. # kubeconfig files require a context. Provide one for the API server.
    16. current-context: webhook
    17. contexts:
    18. - context:
    19.     cluster: name-of-remote-audit-service
    20.   name: webhook

    所有的事件以 JSON 格式 POST 给 webhook server,如