Persistent audit log not enabled
ID |
api_server_audit_log_path |
Severity |
low |
Vendor |
Kubernetes |
Resource |
kube-apiserver |
Tags |
non-reachable |
Description
Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster. The cluster audits the activities generated by users, by applications that use the Kubernetes API, and by the control plane itself.
The audit logging feature increases the memory consumption of the API server because some context required for auditing is stored for each request. Memory consumption depends on the audit logging configuration.
Adding --audit-log-path activates the log backend so audit events could be persisted to an external storage.
Learn more about this topic at Auditing.
Examples
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: weak
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver (1)
- --authorization-mode=RBAC,Node
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0| 1 | When --audit-log-path is not set, system activities could not be audited as it was not persisted. |
Mitigation / Fix
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: good
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --authorization-mode=RBAC,Node
- --audit-log-path=/path/to/log (1)
image: gcr.io/<image>| 1 | Verify --audit-log-path is added to allow audit event to be persisted. |