Container Behavior Auditing allows you to audit the commands and operations that are run and performed by different users in containers. This topic describes how to configure Container Behavior Auditing, how to use Log Service to collect and analyze audit logs, and how to create custom alert rules based on audit logs.
Billing
You can use the Container Behavior Auditing feature free of charge. After you activate Container Behavior Auditing, the relevant Simple Log Service features will be used and fees are charged for these features. For more information about the billing of SLS, see Billing overview.
Limits
Cluster types: Only ACK managed Pro clusters, ACK managed Basic clusters, and ACK dedicated clusters are supported.
Cluster limits: Only the Alibaba Cloud Linux whose kernel version is later than 4.19, Ubuntu, and ContainerOS operating systems support Container Behavior Auditing.
Alibaba Cloud Linux: The Kubernetes version of the cluster is 1.18 or later.
ContainerOS: The Kubernetes version of the cluster is 1.24 or later.
Ubuntu:
The Kubernetes version of the cluster is 1.30 or above. For more information, see Manually upgrade ACK clusters.
During node initialization, automatic OS upgrades are disabled.
Cloud Parallel File Storage (CPFS) volume, image acceleration plugin, and security hardening are not supported.
Step 1: Enable Container Behavior Auditing
You can install the logtail-ds and ack-advanced-audit components to enable Container Behavior Auditing.
logtail-ds: collects audit logs to Log Service and creates a default audit report.
ack-advanced-audit: implements Container Behavior Auditing.
After you enable Container Behavior Auditing, a Logstore named advaudit-${cluster_id} is created in the project used by logtail-ds by default. The Logstore is used to store audit logs. The retention period of the audit logs is 180 days. For more information about how to modify the retention period, see Manage a logstore.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the one you want to manage and click its name. In the left-side navigation pane, choose .
On the Add-ons page, find the logtail-ds component under the Logs and Monitoring tab and the ack-advanced-audit component under the Security tab, then install these two components as prompted.
Step 2: View audit reports
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose .
On the Audit page, click the Container Audit tab. Then, click the Container Audit Overview tab. You can view audit reports on the tab.
View the number of accesses to a pod and the pod information.
View the accounts that performed Kubernetes operations, the commands that were run in a pod, and the common high-risk operations.
Step 3: View detailed log data
You can use the following methods to view detailed log data:
View detailed log data on the audit report page. This method is suitable for checking the logs of an event.
Run query statements on the Logstore page. This method is suitable for checking historical data and events in complex scenarios.
View detailed log data on the audit report page
On the Container Audit Overview page, click the hyperlinks in the traceId and eventId columns in the High-risk Operations section.
Click the hyperlink in the traceId column to view the audit log of the commands that were run in a pod during each access.
Click the hyperlink in the eventId column to view the details about a command.
Run query statements on the Logstore page
On the Query Container Audit Logs page, you can run queries to view detailed log data.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose .
On the Cluster Auditing page, click the Container Audit tab. Then, click the Query Container Audit Logs tab.
Enter a query statement in the search box.
Query the audit log of a command that was run in a pod: Enter * and k8s.pod.namespace: <namespace> and k8s.pod.name: <pod_name>. Replace <namespace> with the namespace of the pod and <pod_name> with the name of the pod.
Query the audit log of an operation that was performed to run a program: Enter * and process.name: <name>. Replace <name> with the name of the program.
For more information about how to query log data, see Query methods.
Specify a time range for the query. Then, click Search & Analyze to view the query and analysis results.
(Optional) Step 4: Create alert rules based on audit logs
You can use the alerting feature provided by Log Service to generate alerts based on audit logs in real time. This helps you learn critical operation events in pods at the earliest opportunity. Available alert notification methods are DingTalk chatbots, custom webhooks, and Alibaba Cloud Message Center. For more information about other alerting methods, see Alerting.
Disable Container Behavior Auditing
You can uninstall ack-advanced-audit to disable Container Behavior Auditing.
This operation does not delete the automatically created Logstore named advaudit-${cluster_id}. You need to log on to the Log Service console and manually delete it. For more information, see Delete a logstore.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the one you want to manage and click its name. In the left-side navigation pane, choose .
On the Add-ons page, click the Logs and Monitoring tab, find the ack-advanced-audit component, then click Uninstall in the lower-right part of the card and uninstall the component as prompted.
References
For more information about the release notes of ack-advanced-audit and logtail-ds, see ack-advanced-audit and Release notes of Logtail.
The audit log feature of API server can help troubleshoot "Who performed what action on which resource and at what time." For more information, see Work with cluster auditing.