Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Auditing in Kubernetes 101

Avatar for Nikhita Raghunath Nikhita Raghunath
February 17, 2020
Programming
0
170

Auditing in Kubernetes 101

Have you ever wondered who created particular changes in your cluster, when they created it or what resources were modified? All of such information about “what sequence of events lead to this scenario” can be obtained using the powerful audit logging feature. In this talk, we will first go over what audit logs are and how to leverage them to stay informed with what goes on in your cluster. Keeping both performance impact and accountability in mind, we will then walk through examples of policy configurations to enforce best security practices, detect misuse and make your cluster more compliant. We’ll also do a demo of setting up auditing on a cluster and inspecting the logs. Finally, we will see what future improvements are planned for this feature and how you can provide feedback and get involved.

Avatar for Nikhita Raghunath

Nikhita Raghunath

February 17, 2020
Tweet

More Decks by Nikhita Raghunath

See All by Nikhita Raghunath
Open Infra Days Asia - Auditing in Kubernetes 101
Avatar for Nikhita Raghunath nikhita
0
34
Getting started as an Open Source Contributor
Avatar for Nikhita Raghunath nikhita
0
140
Getting started with the Kubernetes Community - KubeCon Keynote
Avatar for Nikhita Raghunath nikhita
1
130
How to Contribute to Kuberntes - Kubernetes Days India
Avatar for Nikhita Raghunath nikhita
2
230
Extending the Kubernetes API 101
Avatar for Nikhita Raghunath nikhita
3
490
Extending the Kubernetes API
Avatar for Nikhita Raghunath nikhita
2
510
The Story Of $GOPATH
Avatar for Nikhita Raghunath nikhita
4
590

Other Decks in Programming

See All in Programming
個人開発の学生アプリが企業譲渡されるまで
Avatar for akidon0000 akidon0000
2
1.2k
リアーキテクチャの現場で向き合う 既存サービスの読み解きと設計判断
Avatar for ymiyamu ymiyamu
0
130
エンジニア向けCursor勉強会 @ SmartHR
Avatar for Yuki Horikoshi yukisnow1823
3
13k
開発者フレンドリーで顧客も満足?Platformの秘密
Avatar for ALGO ARTIS algoartis
0
230
Golangci-lint v2爆誕: 君たちはどうすべきか
Avatar for logica / Takuto Nagami logica0419
1
270
ビカム・ア・コパイロット
Avatar for Kento.Yamada ymd65536
1
150
Носок на сок
Avatar for Bo0oM bo0om
0
1.3k
Boost Your Performance and Developer Productivity with Jakarta EE 11
Avatar for ivargrimstad ivargrimstad
0
930
Flutterでllama.cppをつかってローカルLLMを試してみた
Avatar for sakuraidayo sakuraidayo
0
150
カオスに立ち向かう小規模チームの装備の選択〜フルスタックTSという装備の強み _ 弱み〜/Choosing equipment for a small team facing chaos ~ Strengths and weaknesses of full-stack TS~
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
1
150
音声プラットフォームのアーキテクチャ変遷から学ぶ、クラウドネイティブなバッチ処理 (20250422_CNDS2025_Batch_Architecture)
Avatar for Koki Senda thousanda
0
430
Cursor/Devin全社導入の理想と現実
Avatar for Ryoichi Saito saitoryc
29
22k

Featured

See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
Avatar for Eileen M. Uchitelle eileencodes
45
7.2k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1031
460k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
5
570
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
13
850
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
PRO
19
1.2k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
32
2.3k
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
271
27k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
179
53k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
280
13k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
38
1.8k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
298
20k
Done Done
Avatar for chrislema chrislema
184
16k

Transcript

  1. Nikhita Raghunath Loodse Auditing in Kubernetes 101

  2. WHO AM I • Software Engineer at Loodse • Member

    of the Kubernetes Steering Committee • Technical Lead for SIG Contributor Experience • CNCF Ambassador Github - nikhita Twitter - TheNikhita

  3. SECRET CONTAINING PASSWORD IN YOUR CLUSTER

  4. SECRET CONTAINING PASSWORD IN YOUR CLUSTER SECRET GOT UPDATED TO

    MYSTERIOUS VALUE

  5. SECRET CONTAINING PASSWORD IN YOUR CLUSTER SECRET GOT UPDATED TO

    MYSTERIOUS VALUE LOGS

  6. Logs from the Pod @TheNikhita

  7. Logs from the Pod @TheNikhita

  8. Logs from the Pod Events @TheNikhita

  9. Logs from the Pod Events @TheNikhita

  10. Logs from the Pod Events Apiserver Logs @TheNikhita

  11. Logs from the Pod Events Apiserver Logs @TheNikhita

  12. AUDIT LOGS!

  13. { "kind": "Event", "apiVersion": "audit.k8s.io/v1", "level": "Metadata", "auditID": "7684b057-7e2d-4188-a6ae-8fc51afd0c9d", "stage":

    "ResponseComplete", "requestURI": "/api/v1/namespaces/default/secrets", "verb": "create", "user": { "username": "minikube-user", "groups": [ "system:masters", "system:authenticated" ] }, "sourceIPs": [ "X.Y.Z.1" ], "objectRef": { "resource": "secrets", "namespace": "default", "name": "mysecret", "apiVersion": "v1" }, "responseStatus": { "metadata": {}, "code": 201 }, "requestReceivedTimestamp": "2020-02-12T18:06:04.577792Z", "stageTimestamp": "2020-02-12T18:06:04.584173Z", } AUDIT EVENTS @TheNikhita

  14. WHAT HAPPENED "verb": "create", @TheNikhita

  15. ON WHAT DID IT HAPPEN "objectRef": { "resource": "secrets", "namespace":

    "default", "name": "mysecret", "apiVersion": "v1" }, @TheNikhita

  16. WHEN DID IT HAPPEN "requestReceivedTimestamp": "2020-02-12T18:06:04.577792Z", "stageTimestamp": "2020-02-12T18:06:04.584173Z", @TheNikhita

  17. WHO DID IT "user": { "username": "minikube-user", "groups": [ "system:masters",

    "system:authenticated" ] }, @TheNikhita

  18. WHERE WAS IT INITIATED "sourceIPs": [ "1.2.3.4" ], @TheNikhita

  19. THAT’S A LOT OF LOGS!

  20. LET’S CONTROL THE VERBOSITY

  21. LET’S CONTROL THE VERBOSITY WHAT TO LOG WHEN TO LOG

  22. LET’S CONTROL THE VERBOSITY WHAT TO LOG WHEN TO LOG

    YAML

  23. AUDIT POLICY apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata

    omitStages: - RequestReceived resources: - group: "" resources: - secrets @TheNikhita

  24. AUDIT POLICY apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata

    omitStages: - RequestReceived resources: - group: "" resources: - secrets @TheNikhita

  25. AUDIT POLICY apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata

    omitStages: - RequestReceived resources: - group: "" resources: - secrets @TheNikhita

  26. AUDIT POLICY apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata

    omitStages: - RequestReceived resources: - group: "" resources: - secrets @TheNikhita

  27. WHEN TO LOG 1. RequestReceived - Audit handler receives request

    @TheNikhita

  28. WHEN TO LOG 1. RequestReceived - Audit handler receives request

    2. ResponseStarted - For long running requests @TheNikhita

  29. WHEN TO LOG 1. RequestReceived - Audit handler receives request

    2. ResponseStarted - For long running requests 3. ResponseComplete - Response body completed @TheNikhita

  30. WHEN TO LOG 1. RequestReceived - Audit handler receives request

    2. ResponseStarted - For long running requests 3. ResponseComplete - Response body completed 4. Panic - Event generated when panic occurs @TheNikhita

  31. RequestReceived ResponseComplete Response ResponseStarted Panic Request Response Kube APIserver

  32. Request Kube APIserver

  33. RequestReceived Request Kube APIserver

  34. RequestReceived Response Request Kube APIserver

  35. RequestReceived Response Panic Request Kube APIserver

  36. RequestReceived Response ResponseStarted Request Kube APIserver

  37. RequestReceived ResponseComplete Response ResponseStarted Request Kube APIserver

  38. RequestReceived ResponseComplete Response ResponseStarted Request Response Kube APIserver

  39. RequestReceived ResponseComplete Response ResponseStarted Panic Request Response Kube APIserver

  40. WHAT TO LOG apiVersion: audit.k8s.io/v1 kind: Policy rules: - level:

    Metadata omitStages: - RequestReceived resources: - group: "" resources: - secrets GROUP/VERSION RESOURCE VERBS @TheNikhita

  41. WHAT TO LOG apiVersion: audit.k8s.io/v1 kind: Policy rules: - level:

    Metadata omitStages: - RequestReceived resources: - group: "" resources: - secrets @TheNikhita

  42. LEVELS 1. None - don’t log these requests @TheNikhita

  43. LEVELS 1. None - don’t log these requests 2. Metadata

    - only request metadata @TheNikhita

  44. LEVELS 1. None - don’t log these requests 2. Metadata

    - only request metadata 3. Request - ,, + request body @TheNikhita

  45. LEVELS 1. None - don’t log these requests 2. Metadata

    - only request metadata 3. Request - ,, + request body 4. RequestResponse - ,, + response body @TheNikhita

  46. RECOMMENDATIONS FOR WRITING POLICIES

  47. - level: Metadata resources: - group: "" resources: - secrets

    - configmaps - group: authentication.k8s.io resources: - tokenreviews Only log at Metadata level for sensitive resources @TheNikhita

  48. - level: None nonResourceURLs: - '/healthz*' - /version - '/swagger*'

    Don’t log read-only URLs @TheNikhita

  49. Log at RequestResponse level for critical resources Log at atleast

    Metadata level for all resources @TheNikhita

  50. rules: - level: RequestResponse resources: - group: "" resources: ["pods"]

    - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"] @TheNikhita

  51. rules: - level: RequestResponse resources: - group: "" resources: ["pods"]

    - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"] Evaluated in top-down order @TheNikhita

  52. rules: - level: RequestResponse resources: - group: "" resources: ["pods"]

    - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"] Status calls can be large and high-volume @TheNikhita

  53. More examples at https://github.com/kubernetes/kubernetes/blob/master/cl uster/gce/gci/configure-helper.sh @TheNikhita

  54. WHERE DO THESE LOGS GO

  55. BACKEND LOG WEBHOOK @TheNikhita

  56. BACKEND LOG WEBHOOK • Writes events to disk • Sends

    events to external API @TheNikhita

  57. BACKEND LOG WEBHOOK • Writes events to disk • --audit-log-path

    • Sends events to external API • --audit-webhook-config-file @TheNikhita

  58. BACKEND LOG WEBHOOK • Writes events to disk • --audit-log-path

    • Sends events to external API • --audit-webhook-config-file --audit-policy-file @TheNikhita

  59. HOW ARE THESE LOGS SENT TO THE BACKEND

  60. BATCHING BATCH BLOCKING BLOCKING-STRICT @TheNikhita

  61. BATCHING BATCH BLOCKING BLOCKING-STRICT Buffers events & processes in batches

    Blocks APIserver responses to process individual events Failure at RequestReceived stage leads to failure of whole call @TheNikhita

  62. BATCHING BATCH BLOCKING BLOCKING-STRICT --audit-webhook-mode --audit-log-mode @TheNikhita

  63. BATCHING BATCH BLOCKING BLOCKING-STRICT --audit-webhook-mode --audit-log-mode @TheNikhita

  64. UPDATING AUDIT POLICY

  65. UPDATING AUDIT POLICY RESTART OF APISERVER

  66. UPDATING AUDIT POLICY RESTART OF APISERVER

  67. UPDATING AUDIT POLICY

  68. UPDATING AUDIT POLICY UPDATING A K8S RESOURCE

  69. UPDATING AUDIT POLICY UPDATING A K8S RESOURCE

  70. DYNAMIC AUDIT CONFIGURATION --audit-dynamic-configuration --feature-gates=DynamicAuditing=true --runtime-config=auditregistration.k8s.io/v1alpha1=true @TheNikhita

  71. DYNAMIC AUDIT CONFIGURATION apiVersion: auditregistration.k8s.io/v1alpha1 kind: AuditSink metadata: name: mysink

    spec: policy: level: Metadata stages: - ResponseComplete webhook: throttle: qps: 10 burst: 15 clientConfig: url: "https://audit.app" @TheNikhita

  72. DYNAMIC AUDIT CONFIGURATION apiVersion: auditregistration.k8s.io/v1alpha1 kind: AuditSink metadata: name: mysink

    spec: policy: level: Metadata stages: - ResponseComplete webhook: throttle: qps: 10 burst: 15 clientConfig: url: "https://audit.app" @TheNikhita

  73. DYNAMIC AUDIT CONFIGURATION apiVersion: auditregistration.k8s.io/v1alpha1 kind: AuditSink metadata: name: mysink

    spec: policy: level: Metadata stages: - ResponseComplete webhook: throttle: qps: 10 burst: 15 clientConfig: url: "https://audit.app" @TheNikhita

  74. DYNAMIC AUDIT CONFIGURATION apiVersion: auditregistration.k8s.io/v1alpha1 kind: AuditSink metadata: name: mysink

    spec: policy: level: Metadata stages: - ResponseComplete webhook: throttle: qps: 10 burst: 15 clientConfig: url: "https://audit.app" @TheNikhita

  75. SECURITY PERFORMANCE @TheNikhita

  76. SECURITY PERFORMANCE Write access to feature = Read access to

    all cluster data cluster-admin level privilege @TheNikhita

  77. SECURITY PERFORMANCE Write access to feature = Read access to

    all cluster data cluster-admin level privilege Increase in CPU/Memory Usage Don’t use too many sinks @TheNikhita

  78. KEP https://github.com/kubernetes/enhancements/pull/1259 #sig-auth slack channel on k8s slack @TheNikhita

  79. None

  80. LOG COLLECTOR PATTERNS

  81. LOG COLLECTOR PATTERNS Audit Log File + Fluentd @TheNikhita

  82. LOG COLLECTOR PATTERNS Audit Webhook File + Logstash @TheNikhita

  83. LOG COLLECTOR PATTERNS Audit Webhook File + Falco @TheNikhita

  84. HOW ARE AUDIT LOGS HELPFUL

  85. UNDERSTANDING K8S INTERNALS Analysing system calls show how different components

    interact @TheNikhita

  86. DETECTING MISCONFIGURATIONS “Who deleted this resource?” @TheNikhita

  87. TROUBLESHOOTING ISSUES Analysing calls which trigger HTTP errors @TheNikhita

  88. PERFORMANCE ISSUES “Which app is generating lots of calls” @TheNikhita

  89. CONCLUSION • Audit logs can give us a lot of

    information of what goes on in our cluster • To control what should be logged, we write audit policies • Recommendations for writing audit policies • Different audit backends • Batching methods • Dynamic Audit Configuration • Log Collector Patterns

  90. THANK YOU