Website: User Login Audit Policy File Example
This is a...
- [ ] Feature Request
- [X] Bug Report
Problem:
During EU Office Hours on 20180620, @montyz asked, "I need to record and alert when someone logs in to k8s, and the audit logs are a real firehose of information. Anyone have an example of just showing logins?"
The Office Hours team including among others @jeefy @castrojo @mrbobbytables and myself provided a few resources:
- https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh#L735
- https://stackoverflow.com/questions/50949390/up-to-date-example-of-kubernetes-audit-log-policy
- https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy
But none of them mentioned how to, " when I look at the logs, I cannot figure out what specific api requests to be monitoring for [user logins]"
The suggestions of reading API docs or capturing logs and logging in themselves were well received but the team feels this is something that should be explicitly documented.
Proposed Solution:
Documentation to provide audit policy examples for user activity
Page to Update:
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
chris-short
All 5 comments
More specifically, for HIPAA compliance I need to keep records of who logs into our k8s cluster and deploys things or exec's commands, etc. I understand this is possible via audit logging but I'm having a hard time understanding the audit logs themselves and narrowing in on the specific "User A ran command B".
montyz
on 20 Jun 2018
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 18 Sep 2018
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
fejta-bot
on 18 Oct 2018
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
fejta-bot
on 17 Nov 2018
@fejta-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with/reopen.
Mark the issue as fresh with/remove-lifecycle rotten.Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
k8s-ci-robot
on 17 Nov 2018
Related issues
sftim
·
4Comments
neha-viswanathan
·
3Comments
seokho-son
·
3Comments
seokho-son
·
3Comments
shruthibhaskar
·
3Comments
Most helpful comment
More specifically, for HIPAA compliance I need to keep records of who logs into our k8s cluster and deploys things or
exec's commands, etc. I understand this is possible via audit logging but I'm having a hard time understanding the audit logs themselves and narrowing in on the specific "User A ran command B".