How to collect kube-api audit logs with rancher-logging for an RKE/RKE2/K3S cluster
This document (000021022) is provided subject to the disclaimer at the end of this document.
Environment
RKE/RKE2/K3S
Situation
kube-api server audit logs are usually placed in a different directory than the one configured for rancher-logging when collecting
Resolution
By configuring the following, you can enable the kube-api server audit logs collection from rancher-logging helm charts. The rancher-logging helm chart has it disabled by default:
RKE:
kubeAudit:
auditFilename: 'audit-log.json'
enabled: enabled
fluentbit:
logTag: kube-audit
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/controlplane
value: 'true'
- effect: NoExecute
key: node-role.kubernetes.io/etcd
value: 'true'
pathPrefix: '/var/log/kube-audit'
RKE2:
kubeAudit:
auditFilename: 'audit.log'
enabled: enabled
fluentbit:
logTag: kube-audit
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/controlplane
value: 'true'
- effect: NoExecute
key: node-role.kubernetes.io/etcd
value: 'true'
pathPrefix: '/var/lib/rancher/rke2/server/logs'
k3s:
kubeAudit:
auditFilename: 'audit.log'
enabled: enabled
fluentbit:
logTag: kube-audit
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/controlplane
value: 'true'
- effect: NoExecute
key: node-role.kubernetes.io/etcd
value: 'true'
pathPrefix: '/var/lib/rancher/k3s/server/logs'
Cause
The kube-api server audit logs aren't collected by rancher-logging as they are placed outside of the directory parsed by the logging operator by default
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.