Skip to content

EMK - Audit Policy

Estimated time to read: 3 minutes

This page describes how to configure your Kubernetes cluster with a custom Audit Policy. This is only available through the YAML configurator and requires EMK access through a service account (SA).


Audit events are logged by the kube-apiserver service and can be viewed with the Plutono dashboard. Specific events can be logged using a custom audit policy. More information about Kubernetes Auditing can be found on the Kubernetes website, topic Auditing.

Default Audit Policy

When EMK deploys a shoot cluster the following default audit policy is added to the kube-apiserver:

apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
  creationTimestamp: null
rules:
- level: None

Custom Audit Policy

If you need a specific audit policy for your Kubernetes cluster, then you could deploy the required audit policy in your EMK project namespace embedded in a ConfigMap resource and set up your cluster to refer this ConfigMap.

Note

The audit policy must be stored under the key policy in the data section of the ConfigMap.

Configure Custom Audit Policy

Make sure you have a valid service account with sufficient privileges to access your EMK project namespace, see service account access.

  1. Create a file my-policy-configmap.yaml containing the following configmap with an embedded Kubernetes Policy:

    ---
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: custom-policy
    data:
      policy: |-
        apiVersion: audit.k8s.io/v1
        kind: Policy
        rules:
          - level: Metadata
            omitStages:
              - "RequestReceived"
    

  2. Add the the configmap to your EMK project namespace:

    kubectl apply -f example-configmap-custom-audit-policy.yaml
    

  3. Verify the configmap was created:

    kubectl get configmap
    NAME                   DATA   AGE
    custom-policy          1      42s
    

  4. Configure your shoot cluster with the custom audit policy:

    spec:
      kubernetes:
        kubeAPIServer:
          auditConfig:
            auditPolicy:
              configMapRef:
                name: custom-policy
    

!!! note

  EMK validates the Shoot resource to refer only existing `ConfigMap`s
  containing a valid policy, and rejects the change on failure.

If you want to switch back to the default audit policy, remove the following section from the shoot's YAML config: spec.kubernetes.kubeAPIServer.auditConfig.

Review Audit Events

Audit events can be reviewed from the integrated Plutono dashboard.

  1. Access the Plutono dashboard, see monitoring

  2. From the navigation-bar, open the Explore page via the Compass icon

  3. Change the datasource to vali, from prometheus (default)

  4. Enter the following query in the Log browser field:

{container_name="debugger"} |= "auditID"

This will list all the available audit events, filtered from all avaiable events, in the last hour. You can finetune your query using a syntax which is similar to Loki's LogQL, for syntax example see grafana.com/docs.

Rolling Out Changes to the Audit Policy

EMK will not automatically rolling out changes to the Audit Policy to minimize the amount of Shoot reconciliations. EMK will pick up the changes on the next reconciliation of Shoots referencing the Audit Policy ConfigMap. If users want to immediately rollout Audit Policy changes, they can manually trigger a Shoot reconciliation as described in triggering an immediate reconciliation.

Retrieving Custom Audit Policy log files

At the moment, custom Audit Policy log files cannot be retrieved directly. However, this feature is a work in progress. In the meantime, you can obtain the log files by submitting a support ticket.