Container auditing allows you to audit the commands and operations that are run and performed by different users in containers. This topic describes how to configure container auditing, how to use Log Service to collect and analyze audit logs, and how to create custom alert rules based on audit logs.
Billing
The container auditing feature is in public preview. You can use the feature free of charge. After you activate container auditing, the relevant Simple Log Service (SLS) features will be used and fees are charged for these features. For more information about the billing of SLS, see Billing overview.
Limits
Cluster types: Only ACK Pro clusters, ACK Basic clusters, and ACK dedicated clusters are supported.
Cluster limits: Only the Alibaba Cloud Linux whose kernel version is later than 4.19, Ubuntu, and ContainerOS operating systems support container auditing.
Alibaba Cloud Linux: The Kubernetes version of the cluster is 1.18 or later.
Ubuntu:
The Kubernetes version of the cluster is 1.30 or above. For more information, see Manually upgrade ACK clusters.
Cloud Parallel File Storage (CPFS) volume, image acceleration plugin, and security hardening are not supported.
ContainerOS: The Kubernetes version of the cluster is 1.24 or later.
Step 1: Enable container auditing
You can install the logtail-ds and ack-advanced-audit components to enable container auditing.
logtail-ds: collects audit logs to Log Service and creates a default audit report.
ack-advanced-audit: implements container auditing.
After you enable container auditing, a Logstore named advaudit-${cluster_id} is created in the project used by logtail-ds by default. The Logstore is used to store audit logs. The retention period of the audit logs is 180 days. For more information about how to modify the retention period, see Manage a Logstore.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose .
On the Add-ons page, find the logtail-ds component under the Logs and Monitoring tab and the ack-advanced-audit component under the Security tab, then install these two components as prompted.
Step 2: View audit reports
After container auditing is enabled, an audit report named Kubernetes container auditing report is created in the project by default.
Log on to the Simple Log Service console.
In the Projects section, find the project used by the cluster and click the project name.
In the left-side navigation pane, click the
icon. Then, click Kubernetes container auditing report to view the content of the report. View the number of accesses to a pod and the pod information.
View the accounts that performed Kubernetes operations, the commands that were run in a pod, and the common high-risk operations.
Step 3: View detailed log data
You can use the following methods to view detailed log data:
View detailed log data on the audit report page. This method is suitable for checking the logs of an event.
Run query statements on the Logstore page. This method is suitable for checking historical data and events in complex scenarios.
View detailed log data on the audit report page
On the Kubernetes container auditing report page, click the hyperlinks in the traceId and eventId columns in the High-risk Operations section.
Click the hyperlink in the traceId column to view the audit log of the commands that were run in a pod during each access.
Click the hyperlink in the eventId column to view the details about a command.
Run query statements on the Logstore page
You can run queries on the Logstore page to view detailed log data.
Log on to the Simple Log Service console.
In the Projects section, find the project used by the cluster and click the project name.
Choose . Then, click the Logstore named audit-${clustered}.
${cluster_id} in advaudit-${cluster_id} indicates the ID of your cluster.
Enter a query statement in the search box.
Query the audit log of a command that was run in a pod: Enter * and k8s.pod.namespace: <namespace> and k8s.pod.name: <pod_name>. Replace <namespace> with the namespace of the pod and <pod_name> with the name of the pod.
Query the audit log of an operation that was performed to run a program: Enter * and process.name: <name>. Replace <name> with the name of the program.
For more information about how to query log data, see Query methods.
Click 15 Minutes(Relative) to specify a time range for the query.
Click Search & Analyze to view the query and analysis results.
(Optional) Step 4: Create alert rules based on audit logs
You can use the alerting feature provided by Log Service to generate alerts based on audit logs in real time. This helps you learn critical operation events in pods at the earliest opportunity. Available alert notification methods are DingTalk chatbots, custom webhooks, and Alibaba Cloud Message Center. For more information about other alerting methods, see Alerting.
Disable container auditing
You can uninstall ack-advanced-audit to disable container auditing.
This operation does not delete the automatically created Logstore named advaudit-${cluster_id}. You need to log on to the Log Service console and manually delete it. For more information, see Delete a Logstore.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose .
On the Add-ons page, click the Logs and Monitoring tab, find the ack-advanced-audit component, then click Uninstall in the lower-right part of the card and uninstall the component as prompted.
References
For more information about the release notes of ack-advanced-audit and logtail-ds, see ack-advanced-audit and Release notes of Logtail.
The audit log feature of API server can help troubleshoot "Who performed what action on which resource and at what time." For more information, see Work with cluster auditing.