Overview

The Banzai Cloud Pipeline ecosystem collects various audit logs from different sources to give insight when and what happened in the system.

Pipeline

The components and services that the Banzai Cloud Pipeline platform is made up interact with the Pipeline backend through its REST API. Each endpoint of the REST API is being audited to help answer the questions of “who did what, where, and when?” within Pipeline. Pipeline stores these audit log entries in the audit_events database table:

What is audited

The following information is tracked:

  • path of the endpoint (includes parameters)
  • timestamp
  • client ip
  • user agent
  • id the of the user who initiated the operation
  • headers
  • payload
  • method (HEAD/GET/POST/PUT/DELETE)
  • response time
  • response size
  • status code
  • error details

Sensitive information

Sensitive information such as user-provided secrets and authentication tokens are filtered out from the audit log entry to keep them secure. In addition to this through audit.headers Pipeline configuration setting the list of header fields to be skipped from being audited can be set. If not set by default the secretId header field is filtered out.

Enable or disable audit logging

Pipeline audit logging is enabled by default.

Use the audit.enabled Pipeline configuration setting to enable/disable audit logging.

Exclude REST API endpoints

REST API endpoints to be excluded from being audited can be controlled through the audit.skippaths Pipeline configuration setting.

Retention

The Pipeline audit log retention is defined by the data retention policy that is in effect for the database where the audit log is stored.

PKE

Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system.

What is audited

It allows cluster administrator to answer the following questions:

  • what happened?
  • when did it happen?
  • who initiated it?
  • on what did it happen?
  • where was it observed?
  • from where was it initiated?
  • to where was it going?

Enable or disable audit logging

PKE audit logging is enabled by default.

To disable audit logs --with-audit-log=false have to be provided to PKE during installation time. All Kube-apiserver audit events are written to /var/log/audit/apiserver/apiserver.log.