Kubernetes auditing
The Kubernetes audit log is where you track what is happening in your cluster from an API perspective. It's in JSON format, which makes reading it directly more difficult, but makes it much easier to parse using tools such as Elasticsearch. In Chapter 10, Auditing Using Falco, DevOps AI, and ECK, we will cover how to create a full logging system using the Elasticsearch, Fluentd, and Kibana (EFK) stack.
Creating an audit policy
A policy file is used to control what events are recorded and where to store the logs, which can be a standard log file or a webhook. We have included an example audit policy in the chapter6
directory of the GitHub repository, and we will apply it to the KinD cluster that we have been using throughout the book.
An audit policy is a collection of rules that tell the API server which API calls to log and how. When Kubernetes parses the policy file, all rules are applied in order and only the initial matching policy event will...