最近更新时间:2023-07-05 17:28:36
审计功能会按照时间顺序记录每个用户、使用Kubernetes API的应用和控制面系统组件引发的活动。可以帮助集群管理员了解以下内容:
审计策略定义了关于应记录哪些事件以及应包含哪些数据的规则。 处理事件时,将按顺序与规则列表进行比较。
审计级别(Audit Level)用来定义记录哪些信息。相关参数如下:
参数 | 说明 |
---|---|
None | 不记录这个级别的日志。 |
Metadata | 记录请求的元数据(如请求的用户、时间、资源、操作等),不记录请求和响应的消息体。 |
Request | 记录元数据与请求消息体,不记录响应消息体。 |
RequestResponse | 记录所有信息(元数据、请求和响应的消息体)。 |
审计阶段(Audit stage)用来定义请求被记录的阶段。相关参数如下:
参数 | 说明 |
---|---|
RequestReceived | 收到请求后马上记录。 |
ResponseStarted | 在发送完响应消息的头部后记录,只有如watch这样的长时间运行的请求才会生成这个阶段。 |
ResponseComplete | 在发送完全部响应体后记录。 |
Panic | 在panic发生时记录。 |
托管集群开启审计功能后,相关的参数配置及说明如下(其中参数不支持自定义,若有修改需要请提交工单):
配置参数 | 说明 |
---|---|
audit-log-maxage | 审计日志最多保存日期为3天。 |
audit-log-maxbackup | 审计日志最大分片存储3个日志文件。 |
audit-log-maxsize | 单个审计日志最大内存为10M。 |
KCE 审计策略遵循以下原则:
以下为policy.yaml示例:
# policy.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
开通审计功能后,可在 KLog >ClusterID >日志搜索 中查看原始日志,原始日志结构如下所示:
{
cluster_version:" "
cluster_name:" "
verb:"get"
objectRefName:"xxxx"
userAgent:"xxxx"
objectRefResource:"leases"
requestURI:" "
message:"{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"c1443f6a-xxxx-xxxx-afac-e8654e1xxxxx","stage":"ResponseComplete","requestURI":"xxxx","verb":"get","user":{"username":"xxxx","uid":"e77fa9ac-xxxx-xxxx-xxxx-96beeadxxxxx","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["10.x.x.x"],"userAgent":"xxxx","objectRef":{"resource":"leases","namespace":"kube-system","name":"xxxx","apiGroup":"xxxx","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-06-29T09:46:29.906639Z","stageTimestamp":"2023-06-29T09:46:29.922133Z","annotations":{"authentication.k8s.io/legacy-token":"xxxx","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"xxxx" }}",
responseStatusCode:"200"
_timestamp_:1688031992489
sourceIP:"10.x.x.x"
cluster_uuid:" "
objectRefNamespace:"kube-system"
user:"xxxx"
timestamp:"2023-06-29T17:46:31.299+0800"
}
其中,message 包含审计日志信息,以下为审计日志示例:
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"auditID": "c1443f6a-xxxx-xxxx-afac-e8654e1xxxxx",
"stage": "ResponseComplete",
// 发生了什么
"requestURI": "xxxx",
"verb": "get",
// 发起人信息
"user": {
"username": "xxxx",
"uid": "xxxx",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:kube-system",
"system:authenticated"
]
},
// 发起人IP
"sourceIPs": [
"10.x.x.x"
],
// 发生对象信息
"userAgent": "xxxx",
"objectRef": {
"resource": "leases",
"namespace": "kube-system",
"name": "xxxx",
"apiGroup": "xxxx",
"apiVersion": "v1"
},
// 发生对象结果
"responseStatus": {
"metadata": {},
"code": 200
},
// 发生起始和结束时间
"requestReceivedTimestamp": "2023-06-29T09:46:29.906639Z",
"stageTimestamp": "2023-06-29T09:46:29.922133Z",
// 请求被接收/拒绝的原因是什么
"annotations": {
"authentication.k8s.io/legacy-token": "xxxx",
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "xxxx"
}
}
此处重点讲解集群审计功能的开启,创建集群的更多步骤说明请参照 创建集群。
纯净模式