We could use use logs for debugging and analysis purposes. 
These logs could be enabled or disabled using a YAML Policy file.

We make API server aware of this Policy file and its rules through the parameter "--audit-policy-file", that we can pass as an option to the API server.

For example, we could have the below:


In case we run the API server as a pod, we would need to make sure the file is mentioned in the pod's Yaml file in the below parameters:
  • "VolumeMounts.mountpath
  • "hostPath.path"
Below is a Yaml file representing a Policy for logging:


Levels:
  • None : when the system user "kube-proxy" requests a "get" action on the "services" resources. The action will not be logged.
  • Metadata : logs only the metadata, and not the details of the request. For example, the "user" of the "secrets" object gets logged in our above example.
  • Request : only the request is logged not the answer to the request.
  • RequestResponse : this will log the request and its response.
Groups:

Refer to the group that the resources belong to.
Below are a couple of examples:
  • "": Empty groups refers to the main core API group "api/v1"
  • "apps": refers to the "apps" API group "/apps/v1".
Verbs:

The verbs refer to the action done on the resource, for example: "watch", "list", "get", ...

Remark:

The "omitStages" parameter tells the API server not to write any logs when a specific action happens, for example in our case, when a request is first received "RequestReceived".

Brando Sabatini and Ikbal C ©. Powered by Blogger.