Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started

Audit Policy & Logs

Audit policies define what API requests are logged and how. They control the verbosity and scope of audit logging to balance security visibility with performance and storage.

Audit Policy Structure

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  namespaces: ["production"]
- level: RequestResponse
  verbs: ["create", "update", "patch", "delete"]
  resources:
  - group: ""
    resources: ["secrets"]

Audit Levels

None

Don’t log requests matching this rule.

Metadata

Log request metadata (user, timestamp, resource) but not request/response body.

Request

Log request metadata and request body, but not response body.

RequestResponse

Log request metadata, request body, and response body.

Audit Stages

RequestReceived

Log when request is received by API server.

ResponseStarted

Log when response headers are sent (for long-running requests).

ResponseComplete

Log when response is complete.

Panic

Log when a panic occurs.

Example Policy

apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
- RequestReceived
rules:
- level: None
  users: ["system:kube-proxy"]
  verbs: ["watch"]
  resources:
  - group: ""
    resources: ["endpoints", "services"]
- level: None
  users: ["system:kubelet"]
  resources:
  - group: ""
    resources: ["nodes", "nodes/status"]
- level: RequestResponse
  verbs: ["create", "update", "patch", "delete"]
  resources:
  - group: ""
    resources: ["secrets", "configmaps"]
- level: Metadata
  resources:
  - group: ""
    resources: ["*"]

Configuring Audit Logging

Update API Server

spec:
  containers:
  - name: kube-apiserver
    command:
    - kube-apiserver
    - --audit-policy-file=/etc/kubernetes/audit-policy.yaml
    - --audit-log-path=/var/log/audit.log
    - --audit-log-maxage=30
    - --audit-log-maxbackup=10
    - --audit-log-maxsize=100

Best Practices

  1. Log sensitive operations - Log create/update/delete of secrets
  2. Filter noise - Exclude routine operations
  3. Rotate logs - Configure log rotation
  4. Store securely - Protect audit logs
  5. Monitor logs - Set up alerts for suspicious activity

See Also