Only Metadata level audit logging is required for Kubernetes

General Discussions microk8s
1

Hi Team,

I am trying to get k8 audit logs only for level “Metadata” but I am logs for level “Request” and “RequestResponse”. I tried multiple combinations to achieve the same but no luck. Also, followed K8 audit documentation but seems it’s not helpful. Although they have mentioned to pull only metadata level logs but in my case it is pulling other level logs too. Can someone please help me here.

I am using below configurations

apiVersion: audit.k8s.io/v1
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
  - "RequestResponse"
  - "Request"
  - "ResponseStarted"
  - "ResponseComplete"
rules:
  # The following requests were manually identified as high-volume and low-risk,
  # so drop them.
  - level: None
    resources:
      - group: ""
        resources:
          - endpoints
          - services
          - services/status
          - pods
    users:
      - "system:kube-proxy"
      - "system:nodes"
      - "system:kube-scheduler"
      - "system:apiserver"
      - "system:kube-controller-manager"
      - "system:authenticated"
      - "system:anonymous"
      - "system:serviceaccounts"
      - "system:serviceaccounts:controller-xperi-k8s"
      - "system:serviceaccount:controller-xperi-k8s:controller"
    verbs:
      - watch
      - get
      - list
      - update

  # Don't log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: 
      - "system:kube-proxy"
      - "system:nodes"
      - "system:kube-scheduler"
      - "system:apiserver"
      - "system:kube-controller-manager"
      - "system:authenticated"
      - "system:anonymous"
      - "system:serviceaccounts"
      - "system:serviceaccounts:controller-xperi-k8s"
      - "system:serviceaccount:controller-xperi-k8s:controller"
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"
    
  # Secrets, ConfigMap, so only log at the Metadata level.
  - level: Metadata
    omitStages:
      - RequestReceived
    resources:
      - group: ""
        resources:
          - secrets
          - configmaps

  # Default level for all other requests.
  - level: Metadata
    omitStages:
      - RequestReceived
2

Request and RequestResponse are not log levels, they are stages of an event. The documentation that describes the behavior of each setting is here and examples can be found here.

Can you explain exactly what you want logged? If you can share a rough idea, I can probably give you an example to work from.

This would technically be metadata only:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

Also what flags did you set for apiserver? This is what I have in my notes.

--audit-log-path /path/to/store/api-server.audit.log
  File path to store audit log.
  Not specifying this flag disables log backend.
  Using - means standard out.

--audit-log-maxage 15
  Max number of days to retain old audit log files.

--audit-log-maxbackup 10
  Max number of audit log files to retain.

--audit-log-maxsize 1024
  Max size of log file before it gets rotated (in megabytes).