Overview 🔗︎
The Banzai Cloud Pipeline ecosystem collects various audit logs from different sources to give insight when and what happened in the system.
Pipeline audit logs 🔗︎
The components and services that the Banzai Cloud Pipeline platform is made up interact with the Pipeline backend through its REST API. Each endpoint of the REST API is being audited to help answer the questions of “who did what, where, and when?” within Pipeline.
Pipeline supports sending audit logs to its internal database (default) and to the standard output.
What is audited 🔗︎
Pipeline collects the following information about the audited events:
- timestamp
- user ID
- client ip
- resource ID
- HTTP request/response details
- error details
Enable or disable audit logging 🔗︎
By default, Pipeline audit logging is enabled, and Pipeline collects the audit logs into its internal database. You can enable or disable audit logging by modifying the auditlog section in your values.yaml file:
pipeline:
configuration:
auditlog:
enabled: true
If you enable audit logging, make sure to enable sending audit logs to the internal database, to the standard output, or both.
Send audit logs to database 🔗︎
By default, Pipeline sends audit log entries into the audit_events
table in the database. These entries include every field of the audit log, and cannot be customized. You can enable or disable logging to the database by modifying the auditlog section in your values.yaml file.
Note: If you disable sending logs to the database, we strongly recommend setting up an alternative logging flow using the standard output.
pipeline:
configuration:
auditlog:
enabled: true
driver:
database:
enabled: true
Send audit logs to standard output 🔗︎
You can configure Pipeline to send the audit logs to the standard output, so you can collect them with your regular logging tools (for example, Logging operator or One Eye. This is especially useful if you want to forward these logs to third-party tools.
pipeline:
configuration:
auditlog:
enabled: true
driver:
log:
enabled: true
You can customize the content of the audit logs sent to the standard output using the following methods:
-
Specify the verbosity of the logs.
pipeline: configuration: auditlog: enabled: true driver: log: enabled: true verbosity: 2
-
Explicitly set which fields you want to include in the audit logs. You can use the following fields:
field verbosity level timestamp 1 correlationID 1 userID 1 http.method 2 http.path 2 http.clientIP 2 http.userAgent 3 http.statusCode 3 http.responseTime 3 http.responseSize 3 http.requestBody 4 http.errors 4 For example, the following snippet includes only the specified fields into the audit log:
pipeline: configuration: auditlog: enabled: true driver: log: enabled: true fields: - timestamp - userID - http.method - http.path - http.clientIP - http.userAgent - http.statusCode - http.errors
Note: If you set both the verbosity and fields options, the fields option takes precedence.
Exclude sensitive information 🔗︎
Sensitive information such as user-provided secrets and authentication tokens are filtered out from the audit log entry to keep them secure.
PKE audit logs 🔗︎
Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system.
What is audited 🔗︎
It allows a cluster administrator to answer the following questions:
- What happened?
- When did it happen?
- Who initiated it?
- On what did it happen?
- Where was it observed?
- From where was it initiated?
- Where was it going to?
Enable or disable audit logging 🔗︎
PKE audit logging is enabled by default.
To disable audit logs, pass the --with-audit-log=false
flag to PKE during the installation.
All Kube-apiserver audit events are written to /var/log/audit/apiserver/apiserver.log
.