Viewing Kubernetes API Server Audit Logs

Find out how to view operations of both Kubernetes Engine (OKE) and the Kubernetes API server as log events in the Oracle Cloud Infrastructure Audit.

It's often useful to understand the context behind activities happening in a cluster. For example, to perform compliance checks, to identify security anomalies, and to troubleshoot errors by identifying who did what and when.

You can use the Oracle Cloud Infrastructure Audit service to view all operations performed by:

• Kubernetes Engine, which emits audit events whenever you perform actions on a cluster, such as create and delete.
• The Kubernetes API server, which emits audit events whenever you use tools like kubectl to make administrative changes to a cluster, such as creating a service. Kubernetes API server audit events are shown in the Oracle Cloud Infrastructure Audit service for clusters running Kubernetes version 1.13.x (or later). Note that events are only shown from 15 July, 2020 onward.

Note that in addition to viewing operations as described in this topic, you can also:

• Monitor the overall status of the cluster itself, node pools, and nodes. See Monitoring Clusters.
• View and search the logs of Kubernetes processes (such as kube-scheduler, kube-controller-manager, cloud-controller-manager, and kube-apiserver) running in the cluster's control plane. See Viewing Kubernetes Engine (OKE) Service Logs.
• Monitor the health, capacity, and performance of clusters, node pools, and nodes at a more granular level using metrics , alarms , and notifications. See Kubernetes Engine (OKE) Metrics.