How to check currently active audit policy?

D_P1 · November 9, 2021, 3:31pm

Hi everyone!
Situation: obvious format error in an audit configuration file.
Result: the apiserver somehow proceeded generating audit events after restart.
Questions:

what configuration did it use?
how to check the currently active audit policy?
is there any helpful logs to determine that there was an error in audit policy file format?

Cluster information:

Kubernetes version: v1.21.5
Cloud being used: bare-metal
Installation method: kubespray
Host OS: Ubunto 20.04.3 LTS

D_P1 · December 24, 2021, 12:37pm

A bit of investigations shows:

kube-apiserver pods are static pods. Containers inside them are not restarted if you just delete these pods, so kubectl delete pod is not enough to catch a new audit policy
if you want to deploy a new audit policy - just kill the api-server process on master nodes (one by one with sufficient pause to not disrupt cluster functions)
you can find errors regarding policy format in logs of kube-apiserver containers after restart
there is no API endpoint to check currently active policy. At least, for now.

Topic		Replies	Views
How to capture pods' IP addresses in Kubernetes Audit log? General Discussions security , observability	0	975	December 6, 2022
Need help deploying kubernetes with always allow as authorization mode General Discussions	1	613	September 6, 2020
Apiserver pod logs that certificate has expired or is not yet valid General Discussions	0	1446	June 22, 2022
Kubernetes rbac users audit events logging General Discussions	6	1908	July 30, 2021
An "update on restart" behavior General Discussions	4	1739	February 18, 2019

How to check currently active audit policy?

Cluster information:

Related topics