This topic describes the alert rules for Kubernetes security, including excessive number of Kubernetes events and error messages and frequent delete events. You can configure and enable alerts in the Simple Log Service console. This allows you to monitor Kubernetes security issues. If an alert is triggered, you can identify the cause and fix the error at the earliest opportunity.
Alert rules
The following alert rules are supported. For information about how to set alert parameters, configure whitelists, and perform other related operations, see Configure alerts.
Too Many K8s Warning Events Alert
ID | sls_app_audit_container_at_k8s_warn |
Name | Too Many K8s Warning Events Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, Container Security, K8s Security |
Usage | Monitors the number of warning events on a Kubernetes cluster. If the number of warning events on a Kubernetes cluster is greater than or equal to the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None |
Solution | You can check whether exceptions have occurred on clusters that broadcast a great number of warning events. |
Prerequisites | The K8s Event Center switch next to Kubernetes is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
K8s Frequent Delete Event Alert
ID | sls_app_audit_container_at_k8s_del |
Name | K8s Frequent Delete Event Alert |
Version | 1 |
Type | Cloud Platform, Alicloud Container, Security K8s, Security |
Usage | Monitors frequent delete events on Kubernetes clusters. If a delete event on a Kubernetes cluster is greater than or equal to the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None |
Solution | Check whether exceptions have occurred on the Kubernetes cluster where delete events occur too frequently. |
Prerequisites | The K8s Event Center switch next to Kubernetes is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
Too Many K8s Error Events Alert
ID | sls_app_audit_container_at_k8s_err |
Name | Too Many K8s Error Events Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, Container Security, K8s Security |
Usage | Monitors the error events of a Kubernetes cluster. If the number of error events on a Kubernetes cluster is greater than the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None |
Solution | Check whether exceptions have occurred on the Kubernetes cluster where an excessive number of error events occur. |
Prerequisites | The K8s Event Center switch next to Kubernetes is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |