Kubernetes Audit
Kubernetes Audit is a feature in K8s’ APIserver to audit requests inbound to the apiserver. By choosing the webhook mode, an operator can listen for audit data on a dedicated HTTP webserver as a source for analytics, monitoring, etc.
Exoscale packages Kubernetes Audit in SKS. It can be enabled, disabled and configured at no operational cost other than setting up and managing the receiving Webserver.
Prerequisites
- Knowledge of SKS - how to create and/or update an SKS Cluster
- An SKS Cluster (new or existing) with the following conditions: PRO offering, and Kubernetes version >= 1.31.0
- A webserver, ideally supporting Bearer-token authentication and HTTPS
Configuration
At the moment we support the following parameters:
- Endpoint: the URL to send the audit data to
- Bearer token: the authentication token for the receiving webserver
- Initial Backoff: how long to wait before sending the first batch of data (by default 10 seconds)
We deploy a static Audit Policy which integrates with Falco but can be used with bespoke solutions and offers sane defaults. You can check the contents here
The first version of the feature supports bearer token authentication exclusively.
Other parameters are set to their default value.
How-to
Portal
In order to activate and configure the feature:
For existing SKS clusters: navigate to
SKS > your_cluster > Update Cluster. Enable the Kubernetes Audit toggle and fill-in the form.For new SKS clusters: navigate to
SKS > Add. Similarly, enable the toggle and fill in the details.
In order to disable the feature:
- Navigate to
SKS > your_cluster > Update Clusterand disable the toggle.
NOTE We do not expose the bearer token. Leaving the Bearer token field blank will preserve it.
NOTE You won’t see the toggle unless the prerequisites are met - PRO offering, Kubernetes >= 1.31
API
Our OpenAPI Spec describes how to parametrize Kubernetes audit.
Tooling integration (Exoscale Terraform Provider and the CLI) is coming soon