Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
l
loud-daybreak-83328
11/14/2022, 5:08 PMHi. I've posted before about some auditing items with Rancher, but this question is a little different (more generic kubernetes related). I'm having a hard time figuring out what user creates a deployment.
I have auditing configured correctly on my RKE2 instance, it logs to the file specified, so this is good to go. I'm using the attached 'generic' audit-policy.yaml file (the one described on the main kubernetes site).
I'm using kubectl to connect to the cluster, and ran: kubectl create deployment blarg777 --image=rancher/hello-world
I searched the auditlog for the blarg777 entries, and see the container pulling/starting and all that, but I'm not seeing anything where I can identify WHO did that. Is that something I have misconfigured in the audit policy, or does kubernetes not know how to show that info in a useable way? Thanks for the help, and sorry for the long post.
Attached is the log file json.
c
creamy-pencil-82913
11/14/2022, 6:34 PMNo named user created that pod. the deployment controller did. You need to know how to track things back through the various controllers - in this case, find the log entry for the creation of the deployment itself.
or rather, the deployment created a replicaset, and the replicaset created the pod
l
loud-daybreak-83328
11/14/2022, 6:35 PMThat would be something on the rancher server audit logs?
c
creamy-pencil-82913
11/14/2022, 6:35 PMyou only created a deployment, so thats the only thing the audit logs will show your user doing
I think you might have to play with your audit log config to make sure that you’re including all the correct resources at the required stage and level
l
loud-daybreak-83328
11/14/2022, 6:38 PMDo you (Rancher, that is) have a recommended audit-policy.yaml?
I'd hate to turn it 'all' on, but I can just to see if I can get the info out and whittle it down from there.
c
creamy-pencil-82913
11/14/2022, 6:39 PMI’m not sure. I’m an RKE2/K3s dev, I don’t get in too deep with the audit stuff on a regular basis - and it looks like your policy has a bunch of different stuff in it already. Was that copy-pasted from an example somewhere, or was it set up like that on purpose?
l
loud-daybreak-83328
11/14/2022, 6:40 PMThat was from the kubernetes auditing page from kubernetes.io
There's not a lot of great default examples of audit policies out there. A lot of sites just refer to the main site: https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
c
creamy-pencil-82913
11/14/2022, 6:44 PMyeah I think the configuration in there is just intended to show you what you can do with the audit config. I would probably sit down and figure out what you want/need to audit and at what level.
l
loud-daybreak-83328
11/14/2022, 6:46 PMOk. I'll spend some time and set all of the logs to go, just to see what gets reported on a specific event I'm looking for and try to narrow it down from there. Ultimately I just want to know who's doing stuff, but unfortunately k8s didn't make it super easy to see that.