Kubernetes Audit Logs Integration
Overview
Kubernetes audit logs record all requests to the API server, providing visibility into cluster operations and security events. KYRA MDR collects Kubernetes audit logs for monitoring RBAC changes, workload deployments, and security policy violations. Supports Kubernetes 1.24+.
Prerequisites
- A KYRA MDR Collector installed and running
- Kubernetes cluster with administrative access
- API server audit logging enabled
- Network connectivity from the cluster to the collector
Configuration
Configure Kubernetes API server audit logging:
- Create an audit policy file:
apiVersion: audit.k8s.io/v1kind: Policyrules: - level: RequestResponse resources: - group: "" resources: ["secrets", "configmaps"] - level: Metadata resources: - group: "" resources: ["pods", "services"] - level: Request omitStages: ["RequestReceived"]- Configure the API server with audit webhook:
--audit-policy-file=/etc/kubernetes/audit-policy.yaml--audit-webhook-config-file=/etc/kubernetes/audit-webhook.yaml- Create the webhook configuration pointing to the KYRA MDR collector
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| API Requests | All API server requests | Unauthorized access detection |
| RBAC Changes | Role and binding modifications | Privilege escalation detection |
| Secrets Access | Secret read and write events | Sensitive data monitoring |
| Pod Operations | Pod creation, deletion, exec | Container security monitoring |
| Namespace | Namespace lifecycle events | Isolation boundary monitoring |
| Network Policy | Network policy changes | Network segmentation auditing |
Troubleshooting
No audit logs: Verify the audit policy file is correctly referenced by the API server.
High volume: Use the audit policy to filter events by level (None, Metadata, Request, RequestResponse).
Managed clusters: For EKS, GKE, or AKS, audit logging is configured through the cloud provider’s console.
Contact kyra@seekerslab.com for support.