I have added the following command-line arguments to kube-apiserver to enable audit logging:
- --audit-log-path=/tmp/k8s-audit.log
- --audit-policy-file=/etc/kubernetes/audit.yaml
- --audit-log-maxage=1
- --audit-log-maxsize=100
- --audit-log-maxbackup=1
The contents of /etc/kubernetes/audit.yaml is:
apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
- "ResponseStarted"
- "ResponseComplete"
rules:
- level: RequestResponse
I have run a command with verbose logging, so that I can see the request body:
$ kubectl --v=10 uncordon cluster-worker2
And the kubectl command logs the request body as follows:
I0328 09:00:07.591869 47228 request.go:942] Request Body: {"spec":{"unschedulable":null}}
But I don't see this request body anywhere in the audit log file on the kubernetes server. What's wrong with my configuration?
The request is actually only logged in the ResponseComplete stage, somewhat unexpectedly. Even though Kubernetes could theoretically log the request as soon as it receives it, it doesn't.
So it's necessary to remove the ResponseComplete line from the omitstages in the policy configuration file (audit.yaml).