Audit Logging

This topic describes audit logging in Tanzu Kubernetes Grid (TKG).

Overview

In Tanzu Kubernetes Grid, you can access the following audit logs:

• Audit logs from the Kubernetes API server. See Kubernetes Audit Logs below.
• System audit logs for each node in a cluster, collected using auditd. See System Audit Logs for Nodes below.

Kubernetes Audit Logs

Kubernetes audit logs record requests to the Kubernetes API server.

Audit logs are enabled by default for the Supervisor and the workload clusters that it deploys.

To enable Kubernetes auditing on a standalone management cluster or a workload cluster it deploys, set the ENABLE_AUDIT_LOGGING variable to true before you deploy the cluster.

Important

Enabling Kubernetes auditing can result in very high log volumes. To handle this quantity, VMware recommends using a log forwarder such as Fluent Bit. For instructions, see Install Fluent Bit for Log Forwarding.

You can control what the audit logs include by passing audit policy files to kube-apiserver as explained below.

Kubernetes Audit Log Location

By default, audit log entries for a cluster are written to the following location on its control plane nodes:

• Standalone management cluster and its workload clusters: /var/log/kubernetes/audit.log
• Supervisor: /var/log/vmware/audit/kube-apiserver.log
• Supervisor-deployed workload clusters: /var/log/kubernetes/kube-apiserver.log

You can customize these locations by setting --audit-log-path in the audit log configuration.

If you deploy Fluent Bit on the cluster, it will forward the logs to your log destination.

Kubernetes Audit Log Policy and Configuration

To exert fine-grained control over what is being logged, you can create audit policy files and pass them in to the kube-apiserver with the --audit-policy-file flag.

To see the audit log configuration for a cluster, including the audit log location, in the following locations:

• Standalone management cluster and its workload clusters:

  • /etc/kubernetes/audit-policy.yaml on control plane nodes
  • ~/.config/tanzu/tkg/providers/ytt/03_customizations/audit-logging/audit_logging.yaml on your bootstrap machine

• Supervisor and its workload clusters: Kube API server settings in /etc/kubernetes/manifest/kube-apiserver.yaml on control plane nodes. For example:

  • Supervisor:

      - kube-apiserver
    [...]
      - --audit-log-maxage=30
      - --audit-log-maxbackup=10
      - --audit-log-maxsize=100
      - --audit-log-path=/var/log/vmware/audit/kube-apiserver.log
      - --audit-policy-file=/etc/vmware/wcp/audit-policy.yaml
    

  • Workload cluster:

      - kube-apiserver
    [...]
      - --audit-log-maxage=30
      - --audit-log-maxbackup=10
      - --audit-log-maxsize=100
      - --audit-log-path=/var/log/kubernetes/kube-apiserver.log
      - --audit-policy-file=/etc/kubernetes/extra-config/audit-policy.yaml
    

System Audit Logs for Nodes

When you deploy a standalone management or workload cluster, auditd is enabled on the cluster by default. You can access your system audit logs on each node in the cluster by navigating to /var/log/audit/audit.log.

If you deploy Fluent Bit on the cluster, it will forward these audit logs to your log destination. For instructions, see Install Fluent Bit for Log Forwarding.