Enable audit log collection for Azure AKS

Views:

Azure AKS audit logs are available through Azure Event Hubs. Use the k8saudit-aks Falco plugin.

Before you begin

Falco built with k8saudit-aks and json plugins.
AKS cluster.

Procedure

Create the Azure resources.

# Variables
RESOURCE_GROUP="${your resource group name}"
LOCATION="${your aks cluster location}" # example: eastus
AKS_CLUSTER_NAME="${your aks cluster name}"
EVENTHUB_NAMESPACE="${your event hub namespace}"
EVENTHUB_NAME="${your event hub name}"
STORAGE_ACCOUNT="${your storage account}"
BLOB_CONTAINER="${your blob container}"

# Create Event Hub Namespace
az eventhubs namespace create \
  --name "$EVENTHUB_NAMESPACE" \
  --resource-group "$RESOURCE_GROUP" \
  --location "$LOCATION" \
  --sku Standard

# Create Event Hub
az eventhubs eventhub create \
  --name "$EVENTHUB_NAME" \
  --namespace-name "$EVENTHUB_NAMESPACE" \
  --resource-group "$RESOURCE_GROUP" \
  --partition-count 2

# Enable AKS Diagnostic Settings
AKS_RESOURCE_ID=$(az aks show --name "$AKS_CLUSTER_NAME" --resource-group "$RESOURCE_GROUP" --query id -o tsv)
EVENTHUB_AUTH_RULE_ID=$(az eventhubs namespace authorization-rule show \
  --resource-group "$RESOURCE_GROUP" \
  --namespace-name "$EVENTHUB_NAMESPACE" \
  --name "RootManageSharedAccessKey" \
  --query "id" --output tsv)

az monitor diagnostic-settings create \
  --name "aks-audit-logs-diagnostics" \
  --resource "$AKS_RESOURCE_ID" \
  --event-hub-rule "$EVENTHUB_AUTH_RULE_ID" \
  --logs '[{"category": "kube-audit", "enabled": true}]'

# Create Storage Account for checkpoints
az storage account create \
  --name "$STORAGE_ACCOUNT" \
  --resource-group "$RESOURCE_GROUP" \
  --location "$LOCATION" \
  --sku Standard_LRS

az storage container create \
  --name "$BLOB_CONTAINER" \
  --account-name "$STORAGE_ACCOUNT"

# Get connection strings
EVENTHUB_CONNECTION_STRING=$(az eventhubs namespace authorization-rule keys list \
  --resource-group "$RESOURCE_GROUP" \
  --namespace-name "$EVENTHUB_NAMESPACE" \
  --name "RootManageSharedAccessKey" \
  --query primaryConnectionString -o tsv)

BLOB_CONNECTION_STRING=$(az storage account show-connection-string \
  --name "$STORAGE_ACCOUNT" \
  --resource-group "$RESOURCE_GROUP" \
  --query connectionString -o tsv)

Update the overrides.yaml to enable audit log collection.

visionOne:
    bootstrapToken: ...
    endpoint: ...
    exclusion:
        namespaces: [kube-system]
    ...
auditLogCollection:
    enabled: true
    provider: aks
    aks:
        eventHubConnectionString: "${event hub connection string from step 1}"
        eventHubName: "${event hub name from step 1}"
        blobStorageConnectionString: "${blob storage connection string from step 1}"
        blobStorageContainerName: "${blob storage container name from step 1}"