Discovering the 'audit-log-path' for a kubernetes cluster kube-apiserver

345 views Asked by At

I am reviewing my rke installation:

https://docs.rke2.io/security/cis_self_assessment123#1219

The instruction works, makes sense, but shouldn't I be able to check this by running a kubectl describe po -n kube-system kube-apiserver-{my-ip}. I did a describe po on the resource, expecting to see the audit-log-path, but it was not there. How can I discover this setting if it isn't in the pod description. Is ps the best way? The only way?

1

There are 1 answers

0
Kranthiveer Dontineni On BEST ANSWER

Audit backends stores audit logs to an external persistent storage. There are two backends available for kube-apiserver: Log backend, stores logs to a director in the filesystem. Webhook backend, which pushes logs to an external storage using HTTP API. Since you are trying to store data locally we will be using the log backend. As mentioned in the doc provided by you --audit-log-path is used for setting up the path for your audit log files and if haven’t provided any path it will go to the standard output /var/log/kubernetes/audit/audit.log and persistent volumes should be used for storing these logs, so you can get the path details by using below command

Kubectl get pv (In most cases audit will be the keyword so you can find the path using this)

References:

  1. https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
  2. https://www.ibm.com/docs/en/mvi/1.1.1?topic=environment-checking-kubernetes-storage-status