https://rancher.com/ logo
#general
Title
# general
l

loud-daybreak-83328

11/14/2022, 5:08 PM
Hi. I've posted before about some auditing items with Rancher, but this question is a little different (more generic kubernetes related). I'm having a hard time figuring out what user creates a deployment. I have auditing configured correctly on my RKE2 instance, it logs to the file specified, so this is good to go. I'm using the attached 'generic' audit-policy.yaml file (the one described on the main kubernetes site). I'm using kubectl to connect to the cluster, and ran: kubectl create deployment blarg777 --image=rancher/hello-world I searched the auditlog for the blarg777 entries, and see the container pulling/starting and all that, but I'm not seeing anything where I can identify WHO did that. Is that something I have misconfigured in the audit policy, or does kubernetes not know how to show that info in a useable way? Thanks for the help, and sorry for the long post.
Attached is the log file json.
c

creamy-pencil-82913

11/14/2022, 6:34 PM
No named user created that pod. the deployment controller did. You need to know how to track things back through the various controllers - in this case, find the log entry for the creation of the deployment itself.
or rather, the deployment created a replicaset, and the replicaset created the pod
l

loud-daybreak-83328

11/14/2022, 6:35 PM
That would be something on the rancher server audit logs?
c

creamy-pencil-82913

11/14/2022, 6:35 PM
you only created a deployment, so thats the only thing the audit logs will show your user doing
I think you might have to play with your audit log config to make sure that you’re including all the correct resources at the required stage and level
l

loud-daybreak-83328

11/14/2022, 6:38 PM
Do you (Rancher, that is) have a recommended audit-policy.yaml?
I'd hate to turn it 'all' on, but I can just to see if I can get the info out and whittle it down from there.
c

creamy-pencil-82913

11/14/2022, 6:39 PM
I’m not sure. I’m an RKE2/K3s dev, I don’t get in too deep with the audit stuff on a regular basis - and it looks like your policy has a bunch of different stuff in it already. Was that copy-pasted from an example somewhere, or was it set up like that on purpose?
l

loud-daybreak-83328

11/14/2022, 6:40 PM
That was from the kubernetes auditing page from kubernetes.io
There's not a lot of great default examples of audit policies out there. A lot of sites just refer to the main site: https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
c

creamy-pencil-82913

11/14/2022, 6:44 PM
yeah I think the configuration in there is just intended to show you what you can do with the audit config. I would probably sit down and figure out what you want/need to audit and at what level.
l

loud-daybreak-83328

11/14/2022, 6:46 PM
Ok. I'll spend some time and set all of the logs to go, just to see what gets reported on a specific event I'm looking for and try to narrow it down from there. Ultimately I just want to know who's doing stuff, but unfortunately k8s didn't make it super easy to see that.
2 Views