项目作者: theJaxon

项目描述 :
Project made for collecting and filtering Kubernetes audit policy logs using various tools
高级语言:
项目地址: git://github.com/theJaxon/Audit-K.git
创建时间: 2021-01-09T15:09:37Z
项目社区:https://github.com/theJaxon/Audit-K

开源协议:

下载


Audit-K

Project made for collecting and filtering Kubernetes audit policy logs using various tools

K8s
FluentBit
ElasticSearch
Kibana

Enabling audit logs in Kubernetes:

  • By default no audit logs are stored in the cluster, to enable audit logs we have to modify the config file at /etc/kubernetes/manifests/kube-apiserver.yaml
  • There are 2 types of audit backends:
    1. Log backend (which i’ll be using)
    2. Webhook backend
  1. # Create the policy file containing the levels needed to be logged at each stage
  2. vi /etc/kubernetes/audit.yml
  3. # Make a directory to store the logs
  4. mkdir -pv /etc/kubernetes/audit
  5. # Modify the kube-apiserver configuration
  6. vi /etc/kubernetes/manifests/kube-apiserver.yaml
  7. - --audit-policy-file=/etc/kubernetes/audit.yml
  8. - --audit-log-path=/etc/kubernetes/audit/audit.log
  9. - --audit-log-maxage=5 # Max number of days to keep old logs
  10. - --audit-log-maxsize=5 # Max size of the log file in Megabyte
  11. - --audit-log-maxbackup=5 # Max number of log files to be kept
  12. # Define audit log volumes
  13. volumes:
  14. - name: audit-policy-v
  15. hostPath:
  16. path: /etc/kubernetes/audit.yml
  17. type: File
  18. - name: audit-log-v
  19. hostPath:
  20. path: /etc/kubernetes/audit/audit.log
  21. type: FileOrCreate
  22. # Mount the volumes
  23. volumeMounts:
  24. - name: audit-policy-v
  25. mountPath: /etc/kubernetes/audit.yml
  26. - name: audit-log-v
  27. mountPath: /etc/kubernetes/audit/audit.log

1. Audit Logs using EFK:

FluentBit configuration:

FluentBit is installed on the kubernetes cluster following the guide:

  1. # Create logging namespace
  2. k create ns logging $do > ns.yml
  3. # Create FluentBit ServiceAccount in the logging namespace
  4. k create sa fluent-bit -n logging $do > sa.yml
  5. # Create ClusterRole with reading privileges
  6. k create clusterrole fluent-bit-read --resource=ns,po --verb=get,list,watch $do > cluster-role.yml
  7. # Bind the service account with the cluster role
  8. k create clusterrolebinding fluent-bit-read --serviceaccount=logging:fluent-bit --clusterrole=fluent-bit-read $do > cluster-role-binding.yml
  9. # Create the ConfigMap the will be used by the DaemonSet
  10. k apply -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/output/elasticsearch/fluent-bit-configmap.yaml
  11. # The configMap is modified so that it reads the audit log file
  12. input-kubernetes.conf: |
  13. [INPUT]
  14. Name tail
  15. Tag kube.*
  16. Path /etc/kubernetes/audit/*.log
  17. # Apply FluentBit to ElasticSearch DaemonSet
  18. # https://docs.fluentbit.io/manual/installation/kubernetes#fluent-bit-to-elasticsearch
  19. k apply -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/output/elasticsearch/fluent-bit-ds.yaml

Applying all these steps from the FluentBit directory:

  1. k apply -f FluentBit/
  2. namespace/logging created
  3. serviceaccount/fluent-bit created
  4. clusterrole.rbac.authorization.k8s.io/fluent-bit-read created
  5. clusterrolebinding.rbac.authorization.k8s.io/fluent-bit-read created
  6. configmap/fluent-bit-config created
  7. daemonset.apps/fluent-bit created

ElasticSearch Configuration:

  1. # A configMap is created containing elasticsearch.yml config file to be placed at config directory
  2. k create configmap elasticsearch --from-file=elasticsearch.yml -n logging
  3. # In ElasticSearch deployment the file is placed in /usr/share/elasticsearch/config
  4. spec:
  5. volumes:
  6. - name: elasticsearch-v
  7. configMap:
  8. name: elasticsearch
  9. containers:
  10. - image: docker.elastic.co/elasticsearch/elasticsearch:7.5.2
  11. name: elasticsearch
  12. ports:
  13. - containerPort: 9200
  14. name: elasticsearch
  15. volumeMounts:
  16. - name: elasticsearch-v
  17. mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
  18. subPath: elasticsearch.yml

Configuring Kibana to work with ElasticSearch:

In kibana configuration elasticsearch is identified through service discovery using

  1. elasticsearch.hosts: ["http://elasticsearch:9200"]
  1. # Create Kibana config file
  2. k create configmap kibana --from-file=kibana.yml -n logging
  3. # Use the config file in kibana deployment
  4. spec:
  5. volumes:
  6. - name: kibana-v
  7. configMap:
  8. name: kibana
  9. containers:
  10. - image: docker.elastic.co/kibana/kibana:7.5.2
  11. name: kibana
  12. ports:
  13. - containerPort: 5601
  14. name: kibana
  15. volumeMounts:
  16. - name: kibana-v
  17. mountPath: /usr/share/kibana/config/kibana.yml
  18. subPath: kibana.yml