Easy Kubernetes audit log inspection with Vagrant

For a project that Marco and I have been working on, we have recently had a need to examine Kubernetes audit logs. In order to simplify and standardise the process of creating a small k8s environment that generates Kubernets audit logs, I have created a Vagrant box that:

  1. Sets up microk8s with audit logging configured
  2. Loads a custom audit policy
  3. Sets up Elasticsearch and Kibana to ship logs to
  4. Sets up Filebeat to watch the microk8s audit logs and ship them to Elastic
  5. Opens up port 5601 on localhost so that you can navigate to the logs in your browser on the host

There are more detailed instructions in the README for the repo linked above.

Marco has added some intelligent parsing of the logs, so that all the elements of the audit logs are neatly tagged for correlation and searching.

If you want to play around with different audit log policies, or create a small local Kubernetes environment with audit logging enabled, this should ‘just work’, and give you a nice view of the data you would receive using different audit policies.

Written by Feroz Salam on 31 May 2020