Audit Logging

This topic describes audit logging in Tanzu Kubernetes Grid (TKG).

Overview

In Tanzu Kubernetes Grid, you can access the following audit logs:

• Audit logs from the Kubernetes API server. See Kubernetes Audit Logs below.
• System audit logs for each node in a cluster, collected using auditd. See System Audit Logs for Nodes below.

Kubernetes Audit Logs

Kubernetes audit logs record requests to the Kubernetes API server. To enable Kubernetes auditing on a standalone management cluster or a workload cluster it deploys, set the ENABLE_AUDIT_LOGGING variable to true before you deploy the cluster.

Important

Enabling Kubernetes auditing can result in very high log volumes. To handle this quantity, VMware recommends using a log forwarder such as Fluent Bit. For instructions, see Install Fluent Bit for Log Forwarding.

You can control what the audit logs include by passing audit policy files to kube-apiserver as explained below.

Kubernetes Audit Log Location

By default, audit log entries for a standalone management cluster and its workload clusters are written to /var/log/kubernetes/audit.log.

You can customize these locations by setting --audit-log-path in the audit log configuration.

If you deploy Fluent Bit on the cluster, it will forward the logs to your log destination.

Kubernetes Audit Log Policy and Configuration

To exert fine-grained control over what is being logged, you can create audit policy files and pass them in to the kube-apiserver with the --audit-policy-file flag.

To see the audit log configuration for a standalone management cluster and its workload clusters, including the audit log location, in the following locations:

• /etc/kubernetes/audit-policy.yaml on control plane nodes
• ~/.config/tanzu/tkg/providers/ytt/03_customizations/audit-logging/audit_logging.yaml on your bootstrap machine

System Audit Logs for Nodes

When you deploy a standalone management or workload cluster, auditd is enabled on the cluster by default. You can access your system audit logs on each node in the cluster by navigating to /var/log/audit/audit.log.

If you deploy Fluent Bit on the cluster, it will forward these audit logs to your log destination. For instructions, see Install Fluent Bit for Log Forwarding.