Kubernetes Security Auditing : Practical guide in 6 Steps

Kubernetes Security Auditing

Kubernetes Auditing is an important security measure that can help you monitor and audit various activities in the cluster to ensure the security and compliance of the cluster. 

This guide will take you step by step to implement the configuration and practical application of Kubernetes security auditing.

Step 1: Check if the Kubernetes cluster supports auditing

Check the supported audit policy versions in your Kubernetes cluster. Use the following command to list all supported API resource versions:

kubectl api-resources | grep audit

Step 2: Configure Kubernetes Audit Policy

Create an audit policy file /etc/kubernetes/audit-policy.yaml to define events and rules that need to be audited. For example, the following is a simple audit policy file:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: Request
    resources:
      - '*'
    verbs:
      - create
      - update
      - delete
    userGroups:
      - system:authenticated
  - level: RequestResponse
    resources:
      - 'secrets'
    verbs:
      - '*'
    userGroups:
      - system:masters
  - level: Metadata
    resources:
      - '*'
    verbs:
      - get
      - list
  - level: None

Detailed description

Rule 1:

  • level: Request:  Defines the audit record level as Request, indicating that the detailed information of the request is recorded.
  • resources::  Contains all resources, using wildcards  * to indicate that it is applicable to all resources.
  • verbs::  Specifies sensitive operations, here are  createupdate and  delete.
  • userGroups::  Applies to all authenticated users

Rule 2:

  • level: RequestResponse:  Defines the audit record level as RequestResponse, which means recording the detailed information of the request and response.

    • resources::  Applies to  secrets resources.
    • verbs::  Use a wildcard  * to indicate that it applies to all operations.
    • userGroups::  Applicable to  system:masters user groups, indicating user groups with cluster administrator rights.

    Rule 3:

    • level: Metadata:  Defines the audit record level as Metadata, which means that only information about object metadata is recorded.
    • resources::  Use wildcard characters  * to indicate that it applies to all resources.
    • verbs::get  The sum  operation  is specified  list .

    Rule 4:

    • level: None:  Defines the audit record level as None, which means no information will be recorded.

    This illustration addresses the logging of requests and responses related to sensitive operations, such as monitoring all operations on resources by cluster administrators and capturing read operations on metadata for all resource objects.

    It is crucial to tailor your audit strategy to align with the distinct requirements and compliance standards of your production environment. In an authentic production setting, configuring audit policies may necessitate more nuanced adjustments to ensure adherence to specific security standards and regulatory obligations.

    Step 3: Verify Kubernetes Policy File

    kubectl apply -f /etc/kubernetes/audit-policy.yaml --dry-run=client

    Step 4: Enable Auditing of API Server

    Edit the configuration file of the Kubernetes API Server (usually /etc/kubernetes/manifests/kube-apiserver.yaml) and add audit configuration.

    Make sure the following parameters are added to kube-apiserver the section:

    apiVersion: v1
    kind: Pod
    metadata:
      name: kube-apiserver
      namespace: kube-system
    spec:
      containers:
      - command:
        - kube-apiserver
        - <other-flags>
        - --audit-log-path=/var/log/kubernetes/audit.log
        - --audit-log-format=json
        - --audit-log-maxage=30
        - --audit-log-maxbackup=3
        - --audit-log-maxsize=100
        - --audit-policy-file=/etc/kubernetes/audit-policy.yaml
        volumeMounts:
        - mountPath: /var/log/kubernetes
          name: var-log-kubernetes
        - mountPath: /etc/kubernetes/audit-policy.yaml
          name: audit-policy
      volumes:
      - hostPath:
          path: /var/log/kubernetes
        name: var-log-kubernetes
      - hostPath:
          path: /etc/kubernetes/audit-policy.yaml
        name: audit-policy

    Parameter Description:

    • --audit-log-path: The storage path of the audit log.
    • –audit-log-format=json : Specify the format of the audit log.
    • --audit-log-maxage: The maximum number of days to retain audit log files.
    • --audit-log-maxbackup: Maximum number of backups of audit log files.
    • --audit-log-maxsize: Maximum size of audit log files.
    • --audit-policy-file: Path to the audit policy file.

    Step 5: Restart API Server

    To apply the new audit configuration, you need to restart the API Server:

    sudo systemctl restart kubelet

    Step 6: View the Audit Log

    The audit log will be recorded in the specified path. You can understand various operations and events in the cluster by viewing this file:

    cat /var/log/kubernetes/audit.log
    

    Practical application: monitoring sensitive operations

    Using audit logs, you can monitor sensitive operations that occur in the cluster, such as Pod creation and deletion. 

    By analyzing audit logs, you can track specific user activities and identify potential security risks.

    cat /var/log/kubernetes/audit.log | grep "CreatePod"
    

    This will filter out all audit events that create Pods, helping you track Pod creation.

    Practical application: abnormal behavior detection

    The audit log records the detailed information of each request, including request parameters, user information, etc.

     By analyzing logs, you can detect abnormal behavior, such as unusually frequent login attempts, privilege escalation, and more.

    cat /var/log/kubernetes/audit.log | grep "LoginAttempt" | grep "Failure"
    

    This will filter out all audit events for failed login attempts, helping you discover potential security risks in a timely manner.

    🔥🔥 : SAVE 35% Now on Online Courses, Certifications, Bundles & IT Professional Programs : [ 2 Days Only – Offer ends Jan 31!. ]

    Offer valid from Jan 29, 2024 – Jan 31, 2024.. 

    • SAVE 35% Now on Online Courses, Certifications, Bundles & IT Professional Programs

    Hurry Up: Offer valid from Jan 29, 2024 – Jan 31, 2024 ⏳

    Use Code AWARD35 to Save 35% Now

    Conclusion

    By configuring and implementing Kubernetes security auditing, you can enhance your comprehension of and uphold the security posture of your cluster. Auditing is a crucial component in guaranteeing Kubernetes security, enabling you to promptly identify potential risks and implement appropriate measures.

    This guide aims to assist you in effectively implementing and optimizing Kubernetes security auditing.

    If you are preparing for Kubernetes certification, check out all certification guides here :

    Check last Kubernetes Exams (CKAD , CKA , CKS) Coupon Page to get discounts on certification registration.

    Kubernetes Certification Coupon CKAD CKA CKS

    Leave a Reply
    You May Also Like