NavigationContentFooter
Jump toSuggest an edit

How to access the Kubernetes audit logs

Reviewed on 02 September 2024Published on 24 January 2024

Kubernetes Kapsule and Kosmos control plane metrics and logs are integrated into Cockpit, providing you with a centralized hub for monitoring the control plane, nodes, managed resources, and cluster system applications.

While this initial integration empowers you with the autonomy to troubleshoot issues promptly, we have taken the next step by extending the functionality, now Kubernetes audit records are also exported into Cockpit.

Kubernetes audit logs provide detailed insights into user-generated activities, actions initiated by applications using the Kubernetes API, and operations performed by the control plane.

Auditing allows cluster administrators to answer the following questions:

  • What happened?
  • When did the event occur?
  • Who initiated the action?
  • On which resource did it take place?
  • Where was the occurrence observed?
  • From which source was the action initiated?
  • To which destination was it directed?

Audit logging in Kubernetes clusters is enabled by default for clusters with dedicated control planes. Use audit logging to keep a chronological record of calls made to the Kubernetes API server, investigate suspicious API requests, collect statistics, or create monitoring alerts for unwanted API calls.

All logs are centralized in Cockpit.

Tip

Monitoring calls to the kube-apiserver is a matter of security compliance and perhaps a hard requirement for some of the certifications you are keen to obtain.

Cockpit dashboard updates

Starting April 2024, a new version of Cockpit will be released.

In this version, the concept of regionalization will be introduced to offer you more flexibility and resilience for seamless monitoring. If you have created customized dashboards with data for your Scaleway resources before April 2024, you will need to update your queries in Grafana, with the new regionalized data sources.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • Created a Kubernetes Kapsule or Kosmos cluster
  • A cluster that uses a dedicated control plane

How to enable audit logging for your clusters

Audit logging is enabled automatically for all new clusters using a dedicated control plane.

If you upgrade your cluster from a mutualized control plane to a dedicated one, audit logging will be enabled automatically for your cluster.

You can enable audit logging for all clusters using a dedicated control plane. Audit logging is enabled by default for all new clusters. If your cluster predates the introduction of this feature, follow the steps below to activate audit logs via your Scaleway console.

Tip

Audit logs are automatically enabled by default for all new clusters using dedicated control planes.

  1. In the Security and Compliance section of your Kubernetes cluster’s Settings tab, enable the Audit logs feature.
  2. Access Grafana to view the logs on the Kubernetes Cluster Audit Logs dashboard in Cockpit and the Explore section of Cockpit/Grafana.
Tip

If you are not sure whether audit logs for your cluster are enabled, you can verify the status of the feature from the clusters Security tab at any time.

How to disable audit logging

Important

The audit log feature is automatically disabled when downgrading your cluster from a dedicated to a mutualized control plane. This means no further audit logs will be stored in Cockpit once downgraded.

How to access cluster audit logs for clusters having a dedicated control plane.

You can access your clusters audit logs in Cockpit, Scaleway’s monitoring solution.

Tip

Audit logs are automatically enabled by default for all clusters using dedicated control planes.

  1. Retrieve your Grafana credentials.
  2. Access Grafana to view the logs on the Kubernetes Cluster Audit Logs dashboard in Cockpit and the Explore section of Cockpit/Grafana.

How to use audit logging with mutualized control planes

Audit logging is only available for clusters using a dedicated control plane.

Note that downgrading your cluster from a dedicated to a mutualized control plane will automatically disable audit logging, ceasing the storage of any further audit logs in Cockpit.

Note

Audit logging results in increased memory consumption for the API server, as it needs to store additional information for each audited request.

Important

Be aware that audit logging is a feature specifically designed for clusters using a dedicated control plane. If you decide to downgrade to a mutualized control plane, the feature will be automatically deactivated for the cluster.

Kubernetes audit policy

The Kubernetes audit policy defines the selection of log entries exported by the Kubernetes API server.

You can examine the Kubernetes audit policy file, which contains a list of rules, giving you complete visibility into our API server configuration and the chosen request treatments or exclusions.

See also
How to monitor a Kapsule cluster with CockpitHow to access the Kubernetes dashboard
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2024 – Scaleway