CKS · Question #8
CKS Question #8: Real Exam Question with Answer & Explanation
Kubernetes Audit Logging - Simulation Walkthrough Overall Goal Kubernetes audit logging records every request made to the API server - who did what, when, and on which resource. This is critical for security compliance, forensic investigation, and regulatory requirements. The tas
Question
Question: 5 SIMULATION Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that 1. logs are stored at /var/log/kubernetes-logs.txt. 2. Log files are retained for 12 days. 3. at maximum, a number of 8 old audit logs files are retained. 4. Set the maximum size before getting rotated to 200MB Edit and extend the basic policy to log: 1. namespaces changes at RequestResponse 2. Log the request body of secrets changes in the namespace kube-system. 3. Log all other resources in core and extensions at the Request level. 4. Log "pods/portforward", "services/proxy" at Metadata level. 5. Omit the Stage RequestReceived 6. All other requests at the Metadata level
Explanation
Kubernetes Audit Logging - Simulation Walkthrough
Overall Goal
Kubernetes audit logging records every request made to the API server - who did what, when, and on which resource. This is critical for security compliance, forensic investigation, and regulatory requirements. The task has two parts: configure the log backend (where/how logs are stored) and define the audit policy (what gets logged and at what verbosity).
Part 1: Log Backend Configuration
These are flags added to the kube-apiserver manifest (typically /etc/kubernetes/manifests/kube-apiserver.yaml).
- --audit-log-path=/var/log/kubernetes-logs.txt # requirement 1
- --audit-log-maxage=12 # requirement 2
- --audit-log-maxbackup=8 # requirement 3
- --audit-log-maxsize=200 # requirement 4
- --audit-policy-file=/etc/kubernetes/audit-policy.yaml
Why each flag matters:
| Flag | Value | Purpose |
|---|---|---|
--audit-log-path | /var/log/kubernetes-logs.txt | Enables the file log backend. Without this, audit logging is completely disabled. |
--audit-log-maxage | 12 | Retains log files for 12 days before deletion. Prevents unbounded disk growth. |
--audit-log-maxbackup | 8 | Keeps at most 8 rotated log files. Limits storage footprint. |
--audit-log-maxsize | 200 | Rotates the log file when it hits 200MB. Prevents single-file runaway growth. |
If --audit-log-path is omitted, no other audit flag matters - the backend is simply inactive. This is the most critical flag.
If --audit-policy-file is omitted, the apiserver will reject the request to enable auditing, or log nothing meaningful. Both flags must coexist.
Part 2: Audit Policy File
The policy file is evaluated top-to-bottom, first-match wins. Order is everything - more specific rules must come before broader ones.
apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
- "RequestReceived" # requirement 5 - omit noisy pre-processing stage
rules:
# Requirement 1: namespace changes at RequestResponse (most verbose)
- level: RequestResponse
resources:
- group: ""
resources: ["namespaces"]
# Requirement 2: secrets in kube-system - log request body only
- level: Request
resources:
- group: ""
resources: ["secrets"]
namespaces: ["kube-system"]
# Requirement 4: specific subresources at Metadata (before the broad core/extensions rule)
- level: Metadata
resources:
- group: ""
resources: ["pods/portforward", "services/proxy"]
# Requirement 3: all other core and extensions resources at Request level
- level: Request
resources:
- group: ""
- group: "extensions"
# Requirement 6: everything else at Metadata
- level: Metadata
Log Levels Explained
| Level | What is logged |
|---|---|
None | Nothing |
Metadata | HTTP metadata only (verb, user, resource, timestamp) - no body |
Request | Metadata + request body |
RequestResponse | Metadata + request body + response body |
Why Order Matters (Critical)
If you placed the broad Request rule for core/extensions before the secrets rule, secrets would match the broader rule first and never hit the more specific Request body rule for kube-system. Always go specific → broad.
The correct mental ordering:
- Global stage omissions (
omitStages) - Most specific resource + namespace combinations
- Specific subresources
- Broad group-level rules
- Catch-all
What Goes Wrong if Steps Are Skipped
| Skipped step | Consequence |
|---|---|
Forget --audit-log-path | Audit logging silently disabled |
| Wrong flag order in policy | More specific rules are shadowed; wrong verbosity logged |
Missing omitStages: RequestReceived | Log bloat - every request logs twice (received + processed) |
--audit-log-maxsize not set | Default is 100MB; logs rotate unexpectedly before 200MB |
| Forget to mount policy file in apiserver pod | apiserver crashes on restart - static pod won't come back up |
On a real cluster (and in the exam), after editing the static pod manifest you must verify the apiserver restarts successfully:
kubectl get pods -n kube-system
crictl ps | grep apiserver # if kubectl is unresponsive
Memory Tip
Think of audit policy like a firewall ruleset: most specific rule first, catch-all last, and the moment a rule matches, processing stops. The four levels are a verbosity dial: None → Metadata → Request → RequestResponse, each adding more data.
For the flags, remember PABS: Path, Age, Backup, Size.
Topics
Community Discussion
No community discussion yet for this question.