Audit logging

This page describes how to access Kubernetes apiserver audit logs.

Overview

Each GKE On-Prem cluster has Kubernetes Audit Logging, which keeps a chronological record of calls made to the cluster's Kubernetes API server. Audit logs are useful for investigating suspicious API requests or for collecting statistics.

Audit logs from each apiserver are dumped to a persistent disk, so that VM restarts/upgrades won't cause the logs to disapppear. GKE On-Prem retains up to 10GB of audit logs.

Accessing Kubernetes audit logs

You can only access audit logs through the admin cluster:

  1. View the Kubernetes API servers running in your clusters:

    kubectl get pods --all-namespaces -l component=kube-apiserver
    
  2. Download the API server's audit logs:

    kubectl cp -n [NAMESPACE] [APISERVER_POD_NAME]:/var/log/kube-audit/kube-apiserver-audit.log /tmp/kubeaudit.log
    

    This command fetches the latest log file, which can contain up to 1GB of data for admin cluster and up to 850GB for user clusters.

    Older audit records are kept in separate files. To view those files:

    kubectl exec -n [NAMESPACE] [APISERVER_POD_NAME] -- ls /var/log/kube-audit -la
    

    Each audit log's filename has a timestamp that indicates when the file was rotated. A file contains audit logs up to that time and date.

Audit policy

Audit logging behavior is determined by a statically-configured Kubernetes audit logging policy. Changing this policy is currently not supported.