I am currently trying to enable and configure audit logs in a k3s cluster. Currently, I am using k3d to set up my k3s cluster. Is there a way how to configure the audit logging?
I know you can parse k3s server args when creating a cluster with k3d. So, I tried it with this:
k3d cluster create test-cluster --k3s-server-arg '--kube-apiserver-arg=audit-log-path=/var/log/kubernetes/apiserver/audit.log' --k3s-server-arg '--kube-apiserver-arg=audit-policy-file=/etc/kubernetes/audit-policies/policy.yaml'
The obvious problem is that the audit policy does not exist at the cluster until now. Thus it crashes when creating the cluster.
Also tried it, with setting up the cluster using:
k3d cluster create test-cluster --k3s-server-arg '--kube-apiserver-arg=audit-log-path=/var/log/kubernetes/apiserver/audit.log'
Then ssh onto the master node, created the policy file in the wanted dir, but then I cannot find a way to set the cluster variable audit-log-path to this directory. And thus, the policies will not apply.
Doing this with minikube is quite simple (since it is also documented), but I couldn't get it to work with k3d - There is also nothing regards to this in the docs.
But I am sure, there has to be a way how to configure audit-logs on k3s, without using a third-party-app like Falco.
Has someone an idea of how to solve the problem? Or want to share some experiences doing similar?
I used following command to create cluster with auditlog functionality. I used volumes to provide policy file to cluster. I think it requires both audit-policy-file and audit-log-path variables to be set.
k3d cluster create test-cluster \\
--k3s-arg '--kube-apiserver-arg=audit-policy-file=/var/lib/rancher/k3s/server/manifests/audit.yaml@server:*' \\
--k3s-arg '--kube-apiserver-arg=audit-log-path=/var/log/kubernetes/audit/audit.log@server:*' \\
--volume "$(pwd)/audit/audit.yaml:/var/lib/rancher/k3s/server/manifests/audit.yaml"