Audit works at the API server level, logging all requests coming to the server. Each audit log contains two entries:
-
The request line containing:
-
A Unique ID allowing to match the response line (see #2)
-
The source IP of the request
-
The HTTP method being invoked
-
The original user invoking the operation
-
The impersonated user for the operation (
selfmeaning himself) -
The impersonated group for the operation (
lookupmeaning user’s group) -
The namespace of the request or <none>
-
The URI as requested
-
-
The response line containing:
-
The unique ID from #1
-
The response code
-
You can view logs for the master nodes for the {product-title} API server or the Kubernetes API server.
Example output for the Kubelet API server:
ip-10-0-140-97.ec2.internal {"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2019-04-09T19:56:58Z"},"level":"Metadata","timestamp":"2019-04-09T19:56:58Z","auditID":"6e96c88b-ab6f-44d2-b62e-d1413efd676b","stage":"ResponseComplete","requestURI":"/api/v1/nodes/audit-2019-04-09T14-07-27.129.log","verb":"get","user":{"username":"kube:admin","groups":["system:cluster-admins","system:authenticated"],"extra":{"scopes.authorization.openshift.io":["user:full"]}},"sourceIPs":["10.0.57.93"],"userAgent":"oc/v1.14.6+c4799753c (linux/amd64) kubernetes/ba88cb2","objectRef":{"resource":"nodes","name":"audit-2019-04-09T14-07-27.129.log","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Failure","reason":"NotFound","code":404},"requestReceivedTimestamp":"2019-04-09T19:56:58.982157Z","stageTimestamp":"2019-04-09T19:56:58.985300Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"cluster-admins\" of ClusterRole \"cluster-admin\" to Group \"system:cluster-admins\""}}