Using K8s Audit Logs to Secure Your Cluster
K8s Audit Logs are a new feature in K8s 1.11/1.13 which allow an operator to see a stream of events from the API server that show the changes being made to your cluster. In this talk, well describe h …
| Talk Title | Using K8s Audit Logs to Secure Your Cluster |
| Speakers | Mark Stemm (Senior Software Engineer, Sysdig) |
| Conference | KubeCon + CloudNativeCon Europe |
| Conf Tag | |
| Location | Barcelona, Spain |
| Date | May 19-23, 2019 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
K8s Audit Logs are a new feature in K8s 1.11/1.13 which allow an operator to see a stream of events from the API server that show the changes being made to your cluster. In this talk, we’ll describe how auditing works and how to get it working it for popular K8s variants. Then we’ll dive into specific security-oriented use cases, showing how you can use audit logs to enforce security best practices, detect misuse, and fill the gap between what you think the cluster is running and what’s actually running. Some specific use cases we’ll discuss include misuse of configmaps to hold sensitive data, overly loose permissions on pods/services, and abuse of cluster role bindings that grant too many (or the wrong) permissions. Attendees should come away with the ability to enable K8s Audit Support in their cluster and what to look for in their audit logs to ensure that their cluster is secure.
