EMK - Audit Policy
Estimated time to read: 3 minutes
This page describes how to configure your Kubernetes cluster with a custom Audit Policy. This is only available through the YAML configurator and requires EMK access through a service account (SA).
Audit events are logged by the kube-apiserver service and can be viewed with the Plutono dashboard. Specific events can be logged using a custom audit policy. More information about Kubernetes Auditing can be found on the Kubernetes website, topic Auditing.
Default Audit Policy
When EMK deploys a shoot cluster the following default audit policy is added to the kube-apiserver:
Custom Audit Policy
If you need a specific audit policy for your Kubernetes cluster, then you could deploy the required audit policy in your EMK project namespace embedded in a ConfigMap
resource and set up your cluster to refer this ConfigMap
.
Note
The audit policy must be stored under the key policy in the data section of the ConfigMap
.
Configure Custom Audit Policy
Make sure you have a valid service account with sufficient privileges to access your EMK project namespace, see service account access.
-
Create a file
my-policy-configmap.yaml
containing the following configmap with an embedded Kubernetes Policy: -
Add the the configmap to your EMK project namespace:
-
Verify the configmap was created:
-
Configure your shoot cluster with the custom audit policy:
!!! note
EMK validates the Shoot resource to refer only existing `ConfigMap`s
containing a valid policy, and rejects the change on failure.
If you want to switch back to the default audit policy, remove the following section from the shoot's YAML config: spec.kubernetes.kubeAPIServer.auditConfig
.
Review Audit Events
Audit events can be reviewed from the integrated Plutono dashboard.
-
Access the Plutono dashboard, see monitoring
-
From the navigation-bar, open the Explore page via the Compass icon
-
Change the datasource to vali, from prometheus (default)
-
Enter the following query in the Log browser field:
This will list all the available audit events, filtered from all avaiable events, in the last hour. You can finetune your query using a syntax which is similar to Loki's LogQL, for syntax example see grafana.com/docs.
Rolling Out Changes to the Audit Policy
EMK will not automatically rolling out changes to the Audit Policy to minimize the amount of Shoot reconciliations. EMK will pick up the changes on the next reconciliation of Shoots referencing the Audit Policy ConfigMap
. If users want to immediately rollout Audit Policy changes, they can manually trigger a Shoot reconciliation as described in triggering an immediate reconciliation.
Retrieving Custom Audit Policy log files
At the moment, custom Audit Policy log files cannot be retrieved directly. However, this feature is a work in progress. In the meantime, you can obtain the log files by submitting a support ticket.