This message was deleted.
# general
a
This message was deleted.
l
Attached is the log file json.
c
No named user created that pod. the deployment controller did. You need to know how to track things back through the various controllers - in this case, find the log entry for the creation of the deployment itself.
or rather, the deployment created a replicaset, and the replicaset created the pod
l
That would be something on the rancher server audit logs?
c
you only created a deployment, so thats the only thing the audit logs will show your user doing
I think you might have to play with your audit log config to make sure that you’re including all the correct resources at the required stage and level
l
Do you (Rancher, that is) have a recommended audit-policy.yaml?
I'd hate to turn it 'all' on, but I can just to see if I can get the info out and whittle it down from there.
c
I’m not sure. I’m an RKE2/K3s dev, I don’t get in too deep with the audit stuff on a regular basis - and it looks like your policy has a bunch of different stuff in it already. Was that copy-pasted from an example somewhere, or was it set up like that on purpose?
l
That was from the kubernetes auditing page from kubernetes.io
There's not a lot of great default examples of audit policies out there. A lot of sites just refer to the main site: https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
c
yeah I think the configuration in there is just intended to show you what you can do with the audit config. I would probably sit down and figure out what you want/need to audit and at what level.
l
Ok. I'll spend some time and set all of the logs to go, just to see what gets reported on a specific event I'm looking for and try to narrow it down from there. Ultimately I just want to know who's doing stuff, but unfortunately k8s didn't make it super easy to see that.