Skip to content

kube-audit-admin#

Cost Optimization · Azure Kubernetes Service · Rule · 2024_09 · Important

Use kube-audit-admin instead of kube-audit to capture administrative actions in AKS clusters.

Description#

Key components in a Kubernetes cluster regularly scan or check for updated Kubernetes resources against the API server. These get and list operations typically occur more frequently as a Kubernetes cluster grows.

Auditing within AKS writes log events for each operation that occur against the API server. As a result, collecting audit logs for get and list operations of a production AKS cluster can increase cost exponentially.

AKS provides two log categories for collecting audit logs, kube-audit and kube-audit-admin.

  • kube-audit - Audit log data for every audit event including get, list, create, update, delete, patch, and post.
  • kube-audit-admin - Is a subset of the kube-audit log category that excludes get and list_ audit events.

In other words, both kube-audit and kube-audit-admin contain the same data except kube-audit-admin does not contain get and list events. Changes to the cluster configuration are captured with create, update, delete, patch, and post events.

By using kube-audit-admin, changes to resources in AKS are audited, however events relating to reading resources and configuration are not. This significantly reduces the number of logs and overall cost for collecting and storing AKS audit events.

Recommendation#

Consider using kube-audit-admin logging instead of kube-audit when detailed logging of every API request is not required. This approach helps in managing log volume and associated costs while still capturing essential administrative actions.

Examples#

Configure with Azure template#

To deploy AKS clusters that pass this rule:

  • Deploy a diagnostic settings sub-resource.
  • Enable logging for the kube-audit-admin category and disable logging for the kube-audit category.

For example:

Azure Template snippet
{
  "type": "Microsoft.Insights/diagnosticSettings",
  "apiVersion": "2021-05-01-preview",
  "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]",
  "name": "[parameters('name')]",
  "properties": {
    "logs": [
      {
        "category": "kube-audit-admin",
        "enabled": true,
        "retentionPolicy": {
          "days": 0,
          "enabled": false
        }
      },
      {
        "category": "kube-audit",
        "enabled": false,
        "retentionPolicy": {
          "days": 0,
          "enabled": false
        }
      }
    ],
    "workspaceId": "[parameters('workspaceId')]",
    "logAnalyticsDestinationType": "Dedicated"
  },
  "dependsOn": [
    "[resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName'))]"
  ]
}

Configure with Bicep#

To deploy AKS clusters that pass this rule:

  • Deploy a diagnostic settings sub-resource.
  • Enable logging for the kube-audit-admin category and disable logging for the kube-audit category.

For example:

Azure Bicep snippet
resource diagnosticSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: name
  scope: aks
  properties: {
    logs: [
      {
        category: 'kube-audit-admin'
        enabled: true
        retentionPolicy: {
          days: 0
          enabled: false
        }
      }
      {
        category: 'kube-audit'
        enabled: false
        retentionPolicy: {
          days: 0
          enabled: false
        }
      }
    ]
    workspaceId: workspaceId
    logAnalyticsDestinationType: 'Dedicated'
  }
}

Comments