K8s Security Pro
#10 Audit & Monitoring starter

Audit Policy

A comprehensive 16-rule Kubernetes API server audit policy covering secrets access, RBAC changes, exec/attach, authentication, and workload modifications.

CIS Benchmark
1.2.183.2.13.2.2
MITRE ATT&CK
T1070T1552.007T1078.004T1609

Overview

This template provides a production-grade audit policy with 16 rules that define what the Kubernetes API server should log. It balances comprehensive security coverage with practical log volume management by using appropriate audit levels (None, Metadata, Request, RequestResponse) for different resource types.

Security threat addressed: Without audit logging, you cannot detect unauthorized access, investigate breaches, or satisfy compliance requirements. Attackers operate undetected and forensic analysis is impossible.

When to use: Deploy this on every Kubernetes control plane. Customize the noise-reduction rules for your environment and connect the output to a SIEM (Splunk, ELK, Datadog).

Threat Model

  • Breach detection: Full logging of secrets access, RBAC changes, and exec commands reveals attack patterns in real-time.
  • Forensic capability: RequestResponse-level logging for critical resources provides complete audit trails for incident investigation.
  • Compliance satisfaction: CIS Benchmark requires audit logging with appropriate retention and coverage of key security concerns.
  • Insider threat detection: Authentication and authorization event logging detects unusual access patterns.

MITRE ATT&CK:

  • T1070 — Indicator Removal: Without audit logs, attackers operate undetected and forensics is impossible.
  • T1552.007 — Container API Credentials: Logging all secrets access detects unauthorized credential reads.
  • T1078.004 — Valid Accounts: Cloud Accounts: RBAC change logging detects privilege escalation attempts.
  • T1609 — Container Administration Command: Exec/attach logging catches interactive shell access to pods.

Real-world scenario: An attacker gains access to a developer’s kubeconfig and starts reading secrets across namespaces. The audit policy logs every secrets access at RequestResponse level, triggering a SIEM alert that enables immediate incident response.

YAML Source

apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
  name: k8s-security-audit-policy
  labels:
    app.kubernetes.io/name: k8s-security
    app.kubernetes.io/part-of: k8s-security-pro
    app.kubernetes.io/managed-by: k8s-security-pro
omitStages:
  - "RequestReceived"
rules:
  # RULE 1: Skip noisy, non-sensitive endpoints
  - level: None
    nonResourceURLs:
      - "/healthz*"
      - "/readyz*"
      - "/livez*"
      - "/openapi/*"
      - "/api/v1"
      - "/api"
      - "/apis"
      - "/apis/*"
  # RULE 2: Secrets -- full request+response logging (CRITICAL)
  - level: RequestResponse
    resources:
      - group: ""
        resources: ["secrets"]
  # RULE 3: RBAC changes -- full logging (CRITICAL)
  - level: RequestResponse
    resources:
      - group: "rbac.authorization.k8s.io"
        resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
# ... truncated -- get full 16-rule policy at k8s-security.pro/pricing

Get the complete template with all 16 rules covering exec/attach, token requests, authentication, node operations, namespace lifecycle, workload changes, network policies, admission webhooks, and CRDs in the Starter tier.

Installation

kubectl (API server configuration):

# Copy the policy file to every control plane node
scp 10_audit_policy_minimal.yaml <control-plane>:/etc/kubernetes/audit-policy.yaml

# Add API server flags:
# --audit-policy-file=/etc/kubernetes/audit-policy.yaml
# --audit-log-path=/var/log/kubernetes/audit.log
# --audit-log-maxage=30
# --audit-log-maxbackup=10
# --audit-log-maxsize=100

Helm:

helm install k8s-security ./charts/k8s-security -f values-prod.yaml

Kustomize:

kubectl apply -k kustomize/overlays/prod

Verification

# Check if audit logging is enabled on the API server
kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath='{.items[*].spec.containers[*].command}' | tr ',' '\n' | grep audit

# Verify audit log exists on control plane node
ls -la /var/log/kubernetes/audit.log

# Check recent audit events for secrets access
grep '"secrets"' /var/log/kubernetes/audit.log | tail -5

# Verify exec events are being logged
grep '"pods/exec"' /var/log/kubernetes/audit.log | tail -5

CIS Benchmark References

  • 1.2.18 — Ensure that the —audit-log-path argument is set. This template provides the policy file referenced by this flag.
  • 3.2.1 — Ensure that a minimal audit policy is created. This template exceeds minimal requirements with 16 comprehensive rules.
  • 3.2.2 — Ensure that the audit policy covers key security concerns. Rules cover secrets, RBAC, exec, authentication, and all critical resources.

MITRE ATT&CK References

  • T1070 — Indicator Removal: Without audit logs, attackers operate undetected. This policy ensures all API calls are tracked.
  • T1552.007 — Container API Credentials: Secrets access is logged at RequestResponse level to detect unauthorized reads.
  • T1078.004 — Valid Accounts: Cloud Accounts: RBAC modifications are fully logged to detect privilege escalation.
  • T1609 — Container Administration Command: Pod exec/attach/port-forward are logged at RequestResponse level.

Further Reading

Get Full Access to This Template

This template is included in the Starter tier and above.

View Pricing Plans
← All Templates Get All Templates →