Azure Kubernetes Service Security Deep Dive – Part 3 (Audit Logs)

Published Jan 25 2022 05:54 AM 1,479 Views
Microsoft

Any activity to your Kubernetes cluster is handled as API request. So, when you create a new pod, changes container image of your deployment or read information from a configmap or secret, you basically generate requests to the Kubernetes API. We can ask Kubernetes to record all these requests and related data and metadata in log repository called Audit Logs. Each event at its different stages of execution generates event record and can be stored in audit logs based on some pre-defined policies. Please read this article on auditing carefully to understand the defined stages and defined audit levels. Remember, turning on audit logs means increase in memory consumption as well as storage consumption.

 

As you can see in the above-mentioned article, for a regular Kubernetes cluster, you can create your custom policy file by defining various stages and audit levels and then edit the kube-apiserver manifest file to include this policy file and the log path. But in case of AKS, as it is a managed Kubernetes service, you cannot access your master nodes and hence you are not allowed to create/implement your custom policy file. But you can configure your AKS cluster to send logs to a Log Analytics workspace or other destinations like a storage account or event hub. Enabling Audit Logs for your AKS cluster is also a recommendation from CIS Benchmark document for AKS. You can get detailed steps in this document. I am repeating those steps here for reader’s benefit. Assuming you are using Azure Portal:

 

  1. Select the resource group for your AKS cluster, such as myResourceGroup. Don't select the resource group that contains your individual AKS cluster resources, such as MC_myResourceGroup_myAKSCluster_eastus.
  2. On the left-hand side, choose Diagnostic settings.
  3. Select your AKS cluster, such as myAKSCluster, then choose to Add diagnostic setting.
  4. Enter a name, such as myAKSClusterLogs, then select the option to Send to Log Analytics.
  5. Select an existing workspace or create a new one. If you create a workspace, provide a workspace name, a resource group, and a location.
  6. In the list of available logs, select the logs you wish to enable. For this example, enable the kube-audit and kube-audit-admin logs. Common logs include the kube-apiserver, kube-controller-manager, and kube-scheduler. You can return and change the collected logs once Log Analytics workspaces are enabled.
  7. When ready, select Save to enable collection of the selected logs.  

Assuming you did all steps given above, you are now ready to view some logs from control plane from your AKS cluster. Here is one such example of how to do it:

pranabpaul_0-1639377227611.png

 

The output will look like this:

pranabpaul_1-1639377299667.png

 

Or, you can run Kusto queries as given in this article.

pranabpaul_2-1639377407444.png

That’s pretty much it. You now know how to configure Audit Logs to your AKS Cluster. We will talk about Network Policy in the next part of this series.

 

Other parts of these series:  Part1 | Part2 | Part4 | Part5

%3CLINGO-SUB%20id%3D%22lingo-sub-3036977%22%20slang%3D%22en-US%22%3EAzure%20Kubernetes%20Service%20Security%20Deep%20Dive%20%E2%80%93%20Part%203%20(Audit%20Logs)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3036977%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20activity%20to%20your%20Kubernetes%20cluster%20is%20handled%20as%20API%20request.%20So%2C%20when%20you%20create%20a%20new%20pod%2C%20changes%20container%20image%20of%20your%20deployment%20or%20read%20information%20from%20a%20configmap%20or%20secret%2C%20you%20basically%20generate%20requests%20to%20the%20Kubernetes%20API.%20We%20can%20ask%20Kubernetes%20to%20record%20all%20these%20requests%20and%20related%20data%20and%20metadata%20in%20log%20repository%20called%20Audit%20Logs.%20Each%20event%20at%20its%20different%20stages%20of%20execution%20generates%20event%20record%20and%20can%20be%20stored%20in%20audit%20logs%20based%20on%20some%20pre-defined%20policies.%20Please%20read%20this%20%3CA%20title%3D%22Auditing%20in%20Kubernetes.io%22%20href%3D%22https%3A%2F%2Fkubernetes.io%2Fdocs%2Ftasks%2Fdebug-application-cluster%2Faudit%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Earticle%20on%20auditing%3C%2FA%3E%20carefully%20to%20understand%20the%20defined%20stages%20and%20defined%20audit%20levels.%20Remember%2C%20turning%20on%20audit%20logs%20means%20increase%20in%20memory%20consumption%20as%20well%20as%20storage%20consumption.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20you%20can%20see%20in%20the%20above-mentioned%20article%2C%20for%20a%20regular%20Kubernetes%20cluster%2C%20you%20can%20create%20your%20custom%20policy%20file%20by%20defining%20various%20stages%20and%20audit%20levels%20and%20then%20edit%20the%20kube-apiserver%20manifest%20file%20to%20include%20this%20policy%20file%20and%20the%20log%20path.%20But%20in%20case%20of%20AKS%2C%20as%20it%20is%20a%20managed%20Kubernetes%20service%2C%20you%20cannot%20access%20your%20master%20nodes%20and%20hence%20you%20are%20not%20allowed%20to%20create%2Fimplement%20your%20custom%20policy%20file.%20But%20you%20can%20configure%20your%20AKS%20cluster%20to%20send%20logs%20to%20a%20Log%20Analytics%20workspace%20or%20other%20destinations%20like%20a%20storage%20account%20or%20event%20hub.%20Enabling%20Audit%20Logs%20for%20your%20AKS%20cluster%20is%20also%20a%20recommendation%20from%20%3CA%20title%3D%22CIS%20Benchmark%20document%20for%20AKS%22%20href%3D%22https%3A%2F%2Fwww.cisecurity.org%2Fblog%2Fnew-release-cis-azure-kubernetes-service-aks-benchmark%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ECIS%20Benchmark%20document%20for%20AKS%3C%2FA%3E.%20You%20can%20get%20detailed%20steps%20in%20this%20document.%20I%20am%20repeating%20those%20steps%20here%20for%20reader%E2%80%99s%20benefit.%20Assuming%20you%20are%20using%20Azure%20Portal%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ESelect%20the%20resource%20group%20for%20your%20AKS%20cluster%2C%20such%20as%20myResourceGroup.%20Don't%20select%20the%20resource%20group%20that%20contains%20your%20individual%20AKS%20cluster%20resources%2C%20such%20as%20MC_myResourceGroup_myAKSCluster_eastus.%3C%2FLI%3E%0A%3CLI%3EOn%20the%20left-hand%20side%2C%20choose%20Diagnostic%20settings.%3C%2FLI%3E%0A%3CLI%3ESelect%20your%20AKS%20cluster%2C%20such%20as%20myAKSCluster%2C%20then%20choose%20to%20Add%20diagnostic%20setting.%3C%2FLI%3E%0A%3CLI%3EEnter%20a%20name%2C%20such%20as%20myAKSClusterLogs%2C%20then%20select%20the%20option%20to%20Send%20to%20Log%20Analytics.%3C%2FLI%3E%0A%3CLI%3ESelect%20an%20existing%20workspace%20or%20create%20a%20new%20one.%20If%20you%20create%20a%20workspace%2C%20provide%20a%20workspace%20name%2C%20a%20resource%20group%2C%20and%20a%20location.%3C%2FLI%3E%0A%3CLI%3EIn%20the%20list%20of%20available%20logs%2C%20select%20the%20logs%20you%20wish%20to%20enable.%20For%20this%20example%2C%20enable%20the%20kube-audit%20and%20kube-audit-admin%20logs.%20Common%20logs%20include%20the%20kube-apiserver%2C%20kube-controller-manager%2C%20and%20kube-scheduler.%20You%20can%20return%20and%20change%20the%20collected%20logs%20once%20Log%20Analytics%20workspaces%20are%20enabled.%3C%2FLI%3E%0A%3CLI%3EWhen%20ready%2C%20select%20Save%20to%20enable%20collection%20of%20the%20selected%20logs.%26nbsp%3B%26nbsp%3B%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EAssuming%20you%20did%20all%20steps%20given%20above%2C%20you%20are%20now%20ready%20to%20view%20some%20logs%20from%20control%20plane%20from%20your%20AKS%20cluster.%20Here%20is%20one%20such%20example%20of%20how%20to%20do%20it%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22pranabpaul_0-1639377227611.png%22%20style%3D%22width%3A%20641px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F333433i4F9F3F0AE5A4E1DA%2Fimage-dimensions%2F641x396%3Fv%3Dv2%22%20width%3D%22641%22%20height%3D%22396%22%20role%3D%22button%22%20title%3D%22pranabpaul_0-1639377227611.png%22%20alt%3D%22pranabpaul_0-1639377227611.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20output%20will%20look%20like%20this%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22pranabpaul_1-1639377299667.png%22%20style%3D%22width%3A%20693px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F333434iF7BA547E70D055CA%2Fimage-dimensions%2F693x272%3Fv%3Dv2%22%20width%3D%22693%22%20height%3D%22272%22%20role%3D%22button%22%20title%3D%22pranabpaul_1-1639377299667.png%22%20alt%3D%22pranabpaul_1-1639377299667.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOr%2C%20you%20can%20run%20Kusto%20queries%20as%20given%20in%20this%20%3CA%20title%3D%22Kusto%20Query%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fcontainers%2Fcontainer-insights-log-query%23resource-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Earticle%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22pranabpaul_2-1639377407444.png%22%20style%3D%22width%3A%20805px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F333435i1C61BDF6A021F879%2Fimage-dimensions%2F805x294%3Fv%3Dv2%22%20width%3D%22805%22%20height%3D%22294%22%20role%3D%22button%22%20title%3D%22pranabpaul_2-1639377407444.png%22%20alt%3D%22pranabpaul_2-1639377407444.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20size%3D%223%22%3EThat%E2%80%99s%20pretty%20much%20it.%20You%20now%20know%20how%20to%20configure%20Audit%20Logs%20to%20your%20AKS%20Cluster.%20We%20will%20talk%20about%20Network%20Policy%20in%20the%20next%20part%20of%20this%20series.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3EOther%20parts%20of%20these%20series%3A%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CA%20title%3D%22Part1%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-architecture-blog%2Fazure-kubernetes-service-security-deep-dive-part-1-cis-benchmark%2Fba-p%2F3002525%22%20target%3D%22_blank%22%3EPart1%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%7C%26nbsp%3B%3CA%20title%3D%22Part2%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-architecture-blog%2Fazure-kubernetes-service-security-deep-dive-part-2-apparmor-and%2Fba-p%2F3013977%22%20target%3D%22_blank%22%3EPart2%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CA%20title%3D%22Part4%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-architecture-blog%2Fazure-kubernetes-service-security-deep-dive-part-4-network%2Fba-p%2F3037014%22%20target%3D%22_blank%22%3EPart4%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CA%20title%3D%22Part5%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-architecture-blog%2Fazure-kubernetes-service-security-deep-dive-part-5-securing%2Fba-p%2F3053769%22%20target%3D%22_blank%22%3EPart5%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-3036977%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22logo.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F333436i4873D150AA4BF186%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22logo.png%22%20alt%3D%22logo.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EConfigure%20audit%20logs%20in%20your%20Azure%20Kubernetes%20Service%20(AKS)%20cluster%20to%20identify%20security%20breaches%2C%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Jan 07 2022 09:18 AM
Updated by: