Edit /etc/kubernetes/manifests/kube-apiserver.yaml on all masters.
Add two flags like this:
[...]
spec:
containers:
- command:
- kube-apiserver
- --audit-policy-file=/etc/kubernetes/audit/policy.yaml
- --audit-log-path=/var/log/kubernetes/audit.log
[...]
--audit-policy-fileSpecifies the file that contains the policy on what to log. This cannot be specified withkubectland such. Create this file and define to policy, for example the following to log the metadata of all requests:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
-
--audit-log-pathsets the log file to dump messages into. This file is created on each master nodes and contains all the logs regarding this master only. Use some log scraper and enjoy a huge pile of text :) -
Log rotation is also supported. Use the following additional flags:
--audit-log-maxagedefined the maximum number of days to retain old audit log files--audit-log-maxbackupdefines the maximum number of audit log files to retain--audit-log-maxsizedefines the maximum size in megabytes of the audit log file before it gets rotated
Since the apiserver is running inside a pod you need to provide volumes:
[...]
volumeMounts:
- mountPath: /etc/kubernetes/audit
name: auditconf
readOnly: true
- mountPath: /var/log/kubernetes
name: log
readOnly: false
[...]
volumes:
- hostPath:
path: /etc/kubernetes/audit
type: DirectoryOrCreate
name: auditconf
- hostPath:
path: /var/log/kubernetes
type: DirectoryOrCreate
name: log
[...]
Restart the kubelet (systemctl restart kubelet) and you should see the file being populated.