Kubernetes 101 : Logging - Log Policies -
These logs could be enabled or disabled using a YAML Policy file.
We make API server aware of this Policy file and its rules through the parameter "--audit-policy-file", that we can pass as an option to the API server.
For example, we could have the below:
In case we run the API server as a pod, we would need to make sure the file is mentioned in the pod's Yaml file in the below parameters:
- "VolumeMounts.mountpath"
- "hostPath.path"
Below is a Yaml file representing a Policy for logging:
Levels:
- None : when the system user "kube-proxy" requests a "get" action on the "services" resources. The action will not be logged.
- Metadata : logs only the metadata, and not the details of the request. For example, the "user" of the "secrets" object gets logged in our above example.
- Request : only the request is logged not the answer to the request.
- RequestResponse : this will log the request and its response.
Groups:
Refer to the group that the resources belong to.
Below are a couple of examples:
- "": Empty groups refers to the main core API group "api/v1"
- "apps": refers to the "apps" API group "/apps/v1".
Verbs:
The verbs refer to the action done on the resource, for example: "watch", "list", "get", ...
Remark:
The "omitStages" parameter tells the API server not to write any logs when a specific action happens, for example in our case, when a request is first received "RequestReceived".
Comments