Audit Policy

Enabling audit policy for minikube

Overview

Auditing is not enabled in minikube by default. This tutorial shows how to provide an Audit Policy file to the minikube API server on startup.

Tutorial

minikube stop

mkdir -p ~/.minikube/files/etc/ssl/certs

cat <<EOF > ~/.minikube/files/etc/ssl/certs/audit-policy.yaml
# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
EOF

minikube start \
  --extra-config=apiserver.audit-policy-file=/etc/ssl/certs/audit-policy.yaml \
  --extra-config=apiserver.audit-log-path=-

kubectl logs kube-apiserver-minikube -n  kube-system | grep audit.k8s.io/v1

The Audit Policy used in this tutorial is very minimal and quite verbose. As a next step you might want to finetune the audit-policy.yaml file. To get the changes applied you need to stop and start minikube. Restarting minikube triggers the file sync mechanism that copies the yaml file onto the minikube node and causes the API server to read the changed policy file.

Note: Currently there is no dedicated directory to store the audit-policy.yaml file in ~/.minikube/. Using the ~/.minikube/files/etc/ssl/certs directory is a workaround! This workaround works like this: By putting the file into a sub-directory of ~/.minikube/files/, the file sync mechanism gets triggered and copies the audit-policy.yaml file from the host onto the minikube node. When the API server container gets started by kubeadm I’ll mount the /etc/ssl/certs directory from the minikube node into the container. This is the reason why the audit-policy.yaml file has to be stored in the ssl certs directory: It’s one of the directories that get mounted from the minikube node into the container.

Last modified April 4, 2020: Change directory case (4593ac355)