Audit Logging

The Audit Log feature enables Kubernetes auditing for NKE. Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster. The cluster audits the activities generated by users, by applications that use the Kubernetes API, and by the control plane itself.

Auditing shows who did what on your NKE cluster, e.g. User X send a get request on secret Y.

Note: The log level is set to Metadata. Request and response contents are not being logged.

See the official Kubernetes documentation for more information.

Availability

Audit Log is available as an optional service for NKE and it for now only be deployed by API/kubectl.

Usage

To enable Audit Log, you will need a running Loki instance. The audit logs will be pushed to that instance and you can then view them with either logcli or a Grafana instance.

For now you can only enable the Audit Log feature via the API using curl or kubectl. For authentication, please read the API docs here.

Kubectl:

kubectl patch kubernetescluster <kubernetescluster-name> -n <project-name> --type='merge' -p '
spec:
  forProvider:
    nke:
      auditLog:
        targets:
        - group: observability.nine.ch/v1alpha1
          kind: Loki
          name: <loki-name>
'

To view the log you can either do it via LogCLI or Grafana:

LogCLI:

logcli --username "username" --password "password" --addr "<loki-address>" --tls-skip-verify query '{log_type="audit"}' --from="<from-date>"

The date should be in the format 2024-08-16T12:00:00Z.

Grafana:

Go to Explore in the Grafana menu, select your Loki instance in the datasource and set the query: {log_type="audit"}.

Availability​

Usage​

Availability

Usage