SUSE Support

Here When You Need Us

Enable kube-audit logs for downstream RKE2 clusters

This document (000021171) is provided subject to the disclaimer at the end of this document.

Environment

Downstream RKE2

Situation

Unlike RKE1, RKE2 does not automatically enable kube-audit logs with a default policy but some environments require kube-audit logs to be enabled.

Resolution

Edit the RKE2 cluster config as yaml and add the option audit-policy-file followed by the json of your policy to the machineGlobalConfig to turn on auditing.

Here is an example of the change: 
    machineGlobalConfig:
      audit-policy-file: >-
        {"apiVersion":"audit.k8s.io/v1","kind":"Policy","omitStages":["RequestReceived"],"rules":[{"level":"RequestResponse","resources":[{"group":"","resources":["pods"]}]},{"level":"Metadata","resources":[{"group":"","resources":["pods/log","pods/status"]}]},{"level":"None","resources":[{"group":"","resources":["configmaps"],"resourceNames":["controller-leader"]}]},{"level":"None","users":["system:kube-proxy"],"verbs":["watch"],"resources":[{"group":"","resources":["endpoints","services"]}]},{"level":"None","userGroups":["system:authenticated"],"nonResourceURLs":["/api*","/version"]},{"level":"Request","resources":[{"group":"","resources":["configmaps"]}],"namespaces":["kube-system"]},{"level":"Metadata","resources":[{"group":"","resources":["secrets","configmaps"]}]},{"level":"Request","resources":[{"group":""},{"group":"extensions"}]},{"level":"Metadata","omitStages":["RequestReceived"]}]}
      cni: calico
      disable-kube-proxy: false
      etcd-expose-metrics: false
      profile: null
This will add the following defaults to the kube-apiserver running on RKE2: 
--audit-policy-file=/var/lib/rancher/rke2/etc/config-files/audit-policy-file --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/rke2/server/logs/audit.log
The audit policy is store in /var/lib/rancher/rke2/etc/config-files/audit-policy-file. It is strongly recommended to only modify the file via the Rancher UI so that it is not overwritten next time you make other cluster changes.

The audit logs can be found in /var/lib/rancher/rke2/server/logs/audit.log

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021171
  • Creation Date: 15-Aug-2023
  • Modified Date:06-Sep-2023
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center