CKS Question #10: Real Exam Question with Answer & Explanation

Question

Question: 5 SIMULATION. Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that: 1. logs are stored at /var/log/kubernetes-logs.txt. 2. Log files are retained for 12 days. 3. at maximum, a number of 8 audit logs files are retained. 4. Set the maximum size before getting rotated to 200MB. Edit and extend the basic policy to log: 1. namespaces changes at RequestResponse. 2. Log the request body of secrets changes in the namespace kube-system. 3. Log all other resources in core and extensions at the Request level. 4. Log "pods/portforward", "services/proxy" at Metadata level. 5. Omit the Stage RequestReceived. All other requests at the Metadata level.

Explanation

This CKS/CKA simulation question tests your ability to configure Kubernetes API server audit logging - both the kube-apiserver flags that control log rotation/retention and the audit policy YAML that defines what events get logged at which verbosity level.

Approach. Step 1 - Edit /etc/kubernetes/manifests/kube-apiserver.yaml and add four audit log flags: --audit-log-path=/var/log/kubernetes-logs.txt, --audit-log-maxage=12, --audit-log-maxbackup=8, --audit-log-maxsize=200, plus --audit-policy-file=<path-to-policy>. Step 2 - Edit (or create) the audit policy file with omitStages: [RequestReceived] at the top level, then add rules in order of specificity (first match wins): (1) level: RequestResponse for resource namespaces; (2) level: Request for secrets scoped to namespace kube-system; (3) level: Metadata for subresources pods/portforward and services/proxy; (4) level: Request for all resources in group '' (core) and extensions; (5) a final catch-all level: Metadata rule. Rule ordering is critical - Kubernetes evaluates rules top-down and applies the first match, so the most specific rules must appear before broader ones. After saving both files, kubelet will automatically restart the API server; verify with crictl ps or kubectl get nodes.

Concept tested. Kubernetes Audit Logging - configuring kube-apiserver audit flags (log path, maxage, maxbackup, maxsize) and authoring a multi-rule audit Policy manifest with correct log levels (None / Metadata / Request / RequestResponse), stage omission (omitStages), namespace scoping, and subresource targeting, with awareness that policy rules are evaluated in declaration order.

Reference. https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ - 'Audit | Kubernetes' (official docs covering Policy API, log backend flags, and rule precedence)

No community discussion yet for this question.