Аудит событий Kubernetes API
Цель: Настроен сбор Kubernetes audit log и в файле аудита записываются все действий в Kubernetes.
Аудит событий Kubernetes API в Talos настроен по умолчанию.
Получить информацию о параметрах аудита процесса kube-apiserver:
console
talosctl -n 192.168.1.2 processes | sed 's| |\n|g' | grep -E "(audit-policy|audit-log)"Вывод:
text
--audit-log-maxage=30
--audit-log-maxbackup=10
--audit-log-maxsize=100
--audit-log-path=/var/log/audit/kube/kube-apiserver.log
--audit-policy-file=/system/config/kubernetes/kube-apiserver/auditpolicy.yamlПроверить политику аудита по умолчанию через файловую систему:
console
talosctl -n 192.168.1.2 cat /system/config/kubernetes/kube-apiserver/auditpolicy.yamlВывод:
text
apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
creationTimestamp: null
rules:
- level: MetadataПроверить политику аудита по умолчанию через машинную конфигурацию:
console
talosctl get mc -n 192.168.1.2 v1alpha1 -o jsonpath='{.spec}' 2>/dev/null | yq .cluster.apiServer.auditPolicyВывод:
text
{
"apiVersion": "audit.k8s.io/v1",
"kind": "Policy",
"rules": [
{
"level": "Metadata"
}
]
}Проверить entry файла лога аудита:
console
talosctl -n 192.168.1.2 cat /var/log/audit/kube/kube-apiserver.log | tail -n 1 | jqПримерный вывод:
json
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"auditID": "d9a6add8-987f-41d1-aa09-0eaca069709b",
"stage": "ResponseComplete",
"requestURI": "/apis/discovery.k8s.io/v1/namespaces/default/endpointslices/kubernetes",
"verb": "get",
"user": {
"username": "system:apiserver",
"uid": "86c13617-dba8-4e5f-ac6a-d212243b743e",
"groups": [
"system:authenticated",
"system:masters"
]
},
"sourceIPs": [
"::1"
],
"userAgent": "kube-apiserver/v1.33.3 (linux/amd64) kubernetes/80779bd",
"objectRef": {
"resource": "endpointslices",
"namespace": "default",
"name": "kubernetes",
"apiGroup": "discovery.k8s.io",
"apiVersion": "v1"
},
"responseStatus": {
"metadata": {},
"code": 200
},
"requestReceivedTimestamp": "2025-10-14T16:23:40.829320Z",
"stageTimestamp": "2025-10-14T16:23:40.830525Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
}
}Изменить уровень аудита Kubernetes API
Применить патч:
json
[
{
"op": "replace",
"path": "/cluster/apiServer/auditPolicy/rules/0/level",
"value": "RequestResponse"
}
]Выполнить патч для всех узлов Controlplane:
console
talosctl -n 192.168.1.8 patch machineconfig -p '[{"op":"replace","path":"/cluster/apiServer/auditPolicy/rules/0/level","value":"RequestResponse"}]' && \
talosctl -n 192.168.1.7 patch machineconfig -p '[{"op":"replace","path":"/cluster/apiServer/auditPolicy/rules/0/level","value":"RequestResponse"}]' && \
talosctl -n 192.168.1.4 patch machineconfig -p '[{"op":"replace","path":"/cluster/apiServer/auditPolicy/rules/0/level","value":"RequestResponse"}]' && \
talosctl -n 192.168.1.3 patch machineconfig -p '[{"op":"replace","path":"/cluster/apiServer/auditPolicy/rules/0/level","value":"RequestResponse"}]' && \
talosctl -n 192.168.1.2 patch machineconfig -p '[{"op":"replace","path":"/cluster/apiServer/auditPolicy/rules/0/level","value":"RequestResponse"}]'Проверить политику аудита по умолчанию через файловую систему:
console
talosctl -n 192.168.1.2 cat /system/config/kubernetes/kube-apiserver/auditpolicy.yamlВывод:
text
apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
creationTimestamp: null
rules:
- level: RequestResponseПроверить политику аудита по умолчанию через машинную конфигурацию:
console
talosctl get mc -n 192.168.1.2 v1alpha1 -o jsonpath='{.spec}' 2>/dev/null | yq .cluster.apiServer.auditPolicyВывод:
text
{
"apiVersion": "audit.k8s.io/v1",
"kind": "Policy",
"rules": [
{
"level": "RequestResponse"
}
]
}Создать тестовый Service Account:
console
kubectl create sa testПроверить entry файла лога аудита:
console
talosctl -n 192.168.1.2 cat /var/log/audit/kube/kube-apiserver.log | tail -n 1 | jqПримерный вывод (level изменился на RequestResponse):
json
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "RequestResponse",
"auditID": "db7fa079-bf9e-4613-9e4a-271a2a0871f0",
"stage": "ResponseComplete",
"requestURI": "/apis/discovery.k8s.io/v1/namespaces/default/endpointslices/kubernetes",
"verb": "get",
"user": {
"username": "system:apiserver",
"uid": "923a2981-9c5e-46a0-b2e2-c9f8a7954cdf",
"groups": [
"system:authenticated",
"system:masters"
]
},
"sourceIPs": [
"::1"
],
"userAgent": "kube-apiserver/v1.33.3 (linux/amd64) kubernetes/80779bd",
"objectRef": {
"resource": "endpointslices",
"namespace": "default",
"name": "kubernetes",
"apiGroup": "discovery.k8s.io",
"apiVersion": "v1"
},
"responseStatus": {
"metadata": {},
"code": 200
},
"responseObject": {
"kind": "EndpointSlice",
"apiVersion": "discovery.k8s.io/v1",
"metadata": {
"name": "kubernetes",
"namespace": "default",
"uid": "26cc0059-7f4f-4eb2-ba7c-b24817d410d8",
"resourceVersion": "269095",
"generation": 132,
"creationTimestamp": "2025-10-17T15:11:01Z",
"labels": {
"kubernetes.io/service-name": "kubernetes"
},
"managedFields": [
{
"manager": "kube-apiserver",
"operation": "Update",
"apiVersion": "discovery.k8s.io/v1",
"time": "2025-10-18T14:46:00Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:addressType": {},
"f:endpoints": {},
"f:metadata": {
"f:labels": {
".": {},
"f:kubernetes.io/service-name": {}
}
},
"f:ports": {}
}
}
]
},
"addressType": "IPv4",
"endpoints": [
{
"addresses": [
"192.168.1.2"
],
"conditions": {
"ready": true
}
},
{
"addresses": [
"192.168.1.3"
],
"conditions": {
"ready": true
}
},
{
"addresses": [
"192.168.1.4"
],
"conditions": {
"ready": true
}
},
{
"addresses": [
"192.168.1.7"
],
"conditions": {
"ready": true
}
},
{
"addresses": [
"192.168.1.8"
],
"conditions": {
"ready": true
}
}
],
"ports": [
{
"name": "https",
"protocol": "TCP",
"port": 6443
}
]
},
"requestReceivedTimestamp": "2025-10-18T14:46:20.360029Z",
"stageTimestamp": "2025-10-18T14:46:20.361465Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
}
}