Viewing Kubernetes API Server Audit Logs
Find out how to view operations of both Kubernetes Engine (OKE) and the Kubernetes API server as log events in the Oracle Cloud Infrastructure Audit.
It's often useful to understand the context behind activities happening in a cluster. For example, to perform compliance checks, to identify security anomalies, and to troubleshoot errors by identifying who did what and when.
You can use the Oracle Cloud Infrastructure Audit service to view all operations performed by:
- Kubernetes Engine, which emits audit events whenever you perform actions on a cluster, such as create and delete.
- The Kubernetes API server, which emits audit events whenever you use tools like kubectl to make administrative changes to a cluster, such as creating a service. Kubernetes API server audit events are shown in the Oracle Cloud Infrastructure Audit service for clusters running Kubernetes version 1.13.x (or later). Note that events are only shown from 15 July, 2020 onward.
Note that in addition to viewing operations as described in this topic, you can also:
- Monitor the overall status of the cluster itself, node pools, and nodes. See Monitoring Clusters.
- View and search the logs of Kubernetes processes (such as kube-scheduler, kube-controller-manager, cloud-controller-manager, and kube-apiserver) running in the cluster's control plane. See Viewing Kubernetes Engine (OKE) Service Logs.
- Monitor the health, capacity, and performance of clusters, node pools, and nodes at a more granular level using metrics , alarms , and notifications. See Kubernetes Engine (OKE) Metrics.
Using the Console
To view operations performed by Kubernetes Engine and the Kubernetes API server as log events in the Oracle Cloud Infrastructure Audit service:
- Open the navigation menu, click Identity & Security, and then click Audit
- Choose a Compartment you have permission to work in.
-
Search and filter to show the operations you're interested in:
- To view operations performed by Kubernetes Engine, enter
ClustersAPI
in the Keywords field and click Search. - To view operations performed by the Kubernetes API server, enter
OKE API Server Admin Access
in the Keywords field and click Search.
For more information about using the Oracle Cloud Infrastructure Audit service, see Viewing Audit Log Events.
- To view operations performed by Kubernetes Engine, enter
Using the API
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.
Use the following operation to list audit log events: