Container auditing allows you to audit the commands and operations that are run and performed by different users in containers. This topic describes how to configure container auditing, how to use Log Service to collect and analyze audit logs, and how to create custom alert rules based on audit logs.
Table of contents
Billing
The container auditing feature is in public preview. You can use the feature free of charge. After you activate container auditing, the relevant Log Service features will be used and fees are charged for these features. For more information about the billing of Log Service, see Billing overview.
Limits
Cluster limits: Only Container Service for Kubernetes (ACK) clusters whose version is 1.18 and later support container auditing, including ACK dedicated clusters, ACK basic clusters, and ACK Pro clusters. For more information about how to update a cluster, see Update the Kubernetes version of an ACK cluster.
Operating system limits: The nodes in your cluster must run Alibaba Cloud Linux.
Enable container auditing
You can install the logtail-ds and ack-advanced-audit components to enable container auditing.
logtail-ds: collects audit logs to Log Service and creates a default audit report.
ack-advanced-audit: implements container auditing.
After you enable container auditing, a Logstore named advaudit-${cluster_id} is created in the project used by logtail-ds by default. The Logstore is used to store audit logs. The retention period of the audit logs is 180 days. For more information about how to modify the retention period, see Manage a Logstore.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
On the Add-ons page, install the logtail-ds and ack-advanced-audit components.
Click the Logs and Monitoring tab, find the logtail-ds component, and then click Install in the lower-right part of the card. In the message that appears, click OK.
Click the Security tab, find the ack-advanced-audit component, and then click Install in the lower-right part of the card. In the message that appears, click OK.
View audit reports
After container auditing is enabled, an audit report named Kubernetes container auditing report is created in the project by default.
Log on to the Log Service console.
In the Projects section, find the project used by the cluster and click the project name.
In the left-side navigation pane, click the
icon. Then, click Kubernetes container auditing report to view the content of the report. View the number of accesses to a pod and the pod information.
View the accounts that performed Kubernetes operations, the commands that were run in a pod, and the common high-risk operations.
View detailed log data
You can use the following methods to view detailed log data:
Method 1: View detailed log data on the audit report page. This method is suitable for checking the logs of an event.
Method 2: Run query statements on the Logstore page. This method is suitable for checking historical data and events in complex scenarios.
Method 1: View detailed log data on the audit report page
On the Kubernetes container auditing report page, click the hyperlinks in the traceId and eventId columns in the High-risk Operations section.
Click the hyperlink in the traceId column to view the audit log of the commands that were run in a pod during each access.
Click the hyperlink in the eventId column to view the details about a command.
Method 2: Run query statements on the Logstore page
You can run queries on the Logstore page to view detailed log data.
Log on to the Log Service console.
In the Projects section, find the project used by the cluster and click the project name.
Choose . Then, click the Logstore named audit-${clustered}.
${cluster_id} in advaudit-${cluster_id} indicates the ID of your cluster.
Enter a query statement in the search box.
Query the audit log of a command that was run in a pod: Enter * and k8s.pod.namespace: <namespace> and k8s.pod.name: <pod_name>. Replace <namespace> with the namespace of the pod and <pod_name> with the name of the pod.
Query the audit log of an operation that was performed to run a program: Enter * and process.name: <name>. Replace <name> with the name of the program.
For more information about how to query log data, see Query methods.
Click 15 Minutes(Relative) to specify a time range for the query.
Click Search & Analyze to view the query and analysis results.
Create alert rules based on audit logs
You can use the alerting feature provided by Log Service to generate alerts based on audit logs in real time. This helps you learn critical operation events in pods at the earliest opportunity. Available alert notification methods are DingTalk chatbots, custom webhooks, and Alibaba Cloud Message Center. For more information about other alerting methods, see Alerting.
Disable container auditing
You can uninstall ack-advanced-audit to disable container auditing.
This operation does not delete the automatically created Logstore named advaudit-${cluster_id}. You need to log on to the Log Service console and manually delete it. For more information, see Delete a Logstore.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
On the Add-ons page, click the Logs and Monitoring tab, find the ack-advanced-audit component, and then click Uninstall in the lower-right part of the card.
In the message that appears, click OK.