Views:

Enable Kubernetes audit log collection on a RKE1 cluster by creating the audit policy and webhook configuration files, configuring RKE1 to use them, and restarting the service.

Important
Important
  • RKE1 reaches end of life on July 31, 2025. Consider migrating to RKE2.
  • RKE1 runs kube-apiserver as a Docker container that uses external DNS rather than cluster CoreDNS. The audit collector must use hostNetwork: true.

Procedure

  1. Prepare the audit configuration files.
    Run the following commands to create the audit policy and webhook configuration:
    sudo mkdir -p /etc/kubernetes/audit

sudo tee /etc/kubernetes/audit/audit-policy.yaml << 'EOF'
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: Metadata
    verbs: ["create"]
    resources:
      - group: "authorization.k8s.io"
        resources: ["subjectaccessreviews", "selfsubjectaccessreviews", "localsubjectaccessreviews"]
  - level: RequestResponse
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
    resources:
      - group: "rbac.authorization.k8s.io"
        resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
  - level: Metadata
    verbs: ["create", "update", "delete"]
    resources:
      - group: ""
        resources: ["serviceaccounts"]
  - level: None
EOF

sudo tee /etc/kubernetes/audit/audit-webhook-config.yaml << 'EOF'
apiVersion: v1
kind: Config
clusters:
- name: audit-collector
  cluster:
    server: http://127.0.0.1:8030/k8s-audit
contexts:
- context:
    cluster: audit-collector
    user: ""
  name: default-context
current-context: default-context
preferences: {}
users: []
EOF
  2. Update cluster.yml with the audit configuration.
    services:
  kube-api:
    extra_args:
      audit-policy-file: /etc/kubernetes/audit/audit-policy.yaml
      audit-webhook-config-file: /etc/kubernetes/audit/audit-webhook-config.yaml
      audit-webhook-batch-max-size: "1"
    extra_binds:
      - "/etc/kubernetes/audit:/etc/kubernetes/audit:ro"
  3. Apply the changes.
    rke up --config cluster.yml
  4. Verify the configuration.
    # Check kube-apiserver container is running with audit flags
docker inspect $(docker ps -q -f name=kube-apiserver) | grep -i audit

# Check audit collector logs
kubectl logs -n trendmicro-system -l app.kubernetes.io/component=trendmicro-audit-log-collector --tail=20

# Restart api server if config is not applied
docker restart $(docker ps -q -f name=kube-apiserver)