How to collect kube-api audit logs with rancher-logging for an RKE/RKE2/K3S cluster
This document (000021022) is provided subject to the disclaimer at the end of this document.
Environment
Situation
Resolution
By configuring the following, you can enable the kube-api server audit logs collection from rancher-logging helm charts. The rancher-logging helm chart has it disabled by default:
RKE:
kubeAudit:
auditFilename: 'audit-log.json'
enabled: enabled
fluentbit:
logTag: kube-audit
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/controlplane
value: 'true'
- effect: NoExecute
key: node-role.kubernetes.io/etcd
value: 'true'
pathPrefix: '/var/log/kube-audit'
RKE2:
kubeAudit:
auditFilename: 'audit.log'
enabled: enabled
fluentbit:
logTag: kube-audit
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/controlplane
value: 'true'
- effect: NoExecute
key: node-role.kubernetes.io/etcd
value: 'true'
pathPrefix: '/var/lib/rancher/rke2/server/logs'
k3s:
kubeAudit:
auditFilename: 'audit.log'
enabled: enabled
fluentbit:
logTag: kube-audit
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/controlplane
value: 'true'
- effect: NoExecute
key: node-role.kubernetes.io/etcd
value: 'true'
pathPrefix: '/var/lib/rancher/k3s/server/logs'
Cause
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021022
- Creation Date: 24-Mar-2023
- Modified Date:27-Mar-2024
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
