Audit Policy & Logs
Audit policies define what API requests are logged and how. They control the verbosity and scope of audit logging to balance security visibility with performance and storage.
Audit Policy Structure
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
namespaces: ["production"]
- level: RequestResponse
verbs: ["create", "update", "patch", "delete"]
resources:
- group: ""
resources: ["secrets"]
Audit Levels
None
Don’t log requests matching this rule.
Metadata
Log request metadata (user, timestamp, resource) but not request/response body.
Request
Log request metadata and request body, but not response body.
RequestResponse
Log request metadata, request body, and response body.
Audit Stages
RequestReceived
Log when request is received by API server.
ResponseStarted
Log when response headers are sent (for long-running requests).
ResponseComplete
Log when response is complete.
Panic
Log when a panic occurs.
Example Policy
apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
- RequestReceived
rules:
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: ""
resources: ["endpoints", "services"]
- level: None
users: ["system:kubelet"]
resources:
- group: ""
resources: ["nodes", "nodes/status"]
- level: RequestResponse
verbs: ["create", "update", "patch", "delete"]
resources:
- group: ""
resources: ["secrets", "configmaps"]
- level: Metadata
resources:
- group: ""
resources: ["*"]
Configuring Audit Logging
Update API Server
spec:
containers:
- name: kube-apiserver
command:
- kube-apiserver
- --audit-policy-file=/etc/kubernetes/audit-policy.yaml
- --audit-log-path=/var/log/audit.log
- --audit-log-maxage=30
- --audit-log-maxbackup=10
- --audit-log-maxsize=100
Best Practices
- Log sensitive operations - Log create/update/delete of secrets
- Filter noise - Exclude routine operations
- Rotate logs - Configure log rotation
- Store securely - Protect audit logs
- Monitor logs - Set up alerts for suspicious activity
See Also
- Audit & Compliance - Overview of audit and compliance
- CIS Benchmarks - CIS Kubernetes Benchmark