5. Securing Kube-APIServer: Audit

Posted by Manish Panchmatia on Wednesday, November 3, 2021 Labels: , , ,

 Audit-log

* --audit-log-maxage Recommended: Minimum 30 (days)

* --audit-log-maxbackup Recommended: Minimum 10 (files)

* --audit-log-maxsize Recommended: 100 (MB) or appropriate

* --audit-policy-file=/etc/kubernetes/simple-policy.yaml

This declares where, inside the container, the policy file is located. You will also need to add a volume and mount point to the container.

* --audit-log-path Example value: /var/log/apiserver/audit.log

This declares where the logs should be kept inside the container. This will also need a volume and a mount point configured.

Audit-process

If audit is enabled then each API goes through audit process, even if it is filtered out. 

3 Phases

1. Call is received: RequestReceived

2. Handling the call: ResponseStarted (Only applicable for long running request like watch)

3. Response call is made: ResponseComplete

* Panic 

Each even has audit rule. Audit rule set audit level

- None

- Metadata

- Request

- RequestResponse

Sample policy files

Note : all resources are always in plural in all policy file. 

1.

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  resources:
  - group: ""
    resources: ["pods/log", "pods/status"]
- level: Metadata
  omitStages:
  - "RequestReceived" 

2. monitor events for specific pods

apiVersion: audit.k8s.io/v1 
kind: Policy
rules:  
  - level: RequestResponse
    resources:
    - group: "" # Version of group should NOT be included.
      resources: ["pods"]
  resourceNames: ["sp1"]

3. Monitor all request and response from kubectl on minikube setup

apiVersion: audit.k8s.io/v1 
kind: Policy
rules:  
  - level: RequestResponse
    users: ["minikube-user"]
    omitStages: ["ResponseComplete"]

Format for rule
  - level: RequestResponse
    users: ["system:kube-proxy"]
    userGroups: ["system:authenticated"]
    namespaces: ["kube-system"]
    verbs: ["watch"]
    resources:
    - group: "" # Version of group should NOT be included.
      resources: ["pods"]
   resourceNames: ["controller-leader"]

The first matching rule sets the audit level of the event. The omitStages can be per rule or not per rule.

Audit backend

1. Log

2. Webhook

Step 1, create file  /etc/kubernetes/audit-webhook-kubeconfig on master node

apiVersion: v1
kind: Config
clusters:
- cluster:
    server: http://10.0.2.15:7777
  name: falco
contexts:
- context:
    cluster: falco
    user: ""
  name: default-context
current-context: default-context
preferences: {}
users: []

2. Run netcat command on host 10.0.2.15
nc -l -p 7777

3. Update /etc/kubernetes/manifest/kube-apiserver.yaml file. 

* Add below line
    - --audit-webhook-config-file=/etc/kubernetes/audit-webhook-kubeconfig
* Add corresponding volumes 
* Add corresponding volumeMounts
Off course you need to add audit policy and optionally audit log file as above 3 steps. 

Now, you can see JSON at terminal where nc is running. 

0 comments:

Post a Comment