Hi. I've posted before about some auditing items with Rancher, but this question is a little different (more generic kubernetes related). I'm having a hard time figuring out what user creates a deployment. I have auditing configured correctly on my RKE2 instance, it logs to the file specified, so this is good to go. I'm using the attached 'generic' audit-policy.yaml file (the one described on the main kubernetes site). I'm using kubectl to connect to the cluster, and ran: kubectl create deployment blarg777 --image=rancher/hello-world I searched the auditlog for the blarg777 entries, and see the container pulling/starting and all that, but I'm not seeing anything where I can identify WHO did that. Is that something I have misconfigured in the audit policy, or does kubernetes not know how to show that info in a useable way? Thanks for the help, and sorry for the long post.

No named user created that pod. the deployment controller did. You need to know how to track things back through the various controllers - in this case, find the log entry for the creation of the deployment itself.

That would be something on the rancher server audit logs?

you only created a deployment, so thats the only thing the audit logs will show your user doing

Do you (Rancher, that is) have a recommended audit-policy.yaml?

I’m not sure. I’m an RKE2/K3s dev, I don’t get in too deep with the audit stuff on a regular basis - and it looks like your policy has a bunch of different stuff in it already. Was that copy-pasted from an example somewhere, or was it set up like that on purpose?

That was from the kubernetes auditing page from kubernetes.io

yeah I think the configuration in there is just intended to show you what you can do with the audit config. I would probably sit down and figure out what you want/need to audit and at what level.

Ok. I'll spend some time and set all of the logs to go, just to see what gets reported on a specific event I'm looking for and try to narrow it down from there. Ultimately I just want to know who's doing stuff, but unfortunately k8s didn't make it super easy to see that.