Linux Foundation Exam CKS Topic 1 Question 32 Discussion

Actual exam question for Linux Foundation's CKS exam

Question #: 32
Topic #: 1

[All CKS Questions]

Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that

1. logs are stored at /var/log/kubernetes-logs.txt.

2. Log files are retained for 12 days.

3. at maximum, a number of 8 old audit logs files are retained.

4. set the maximum size before getting rotated to 200MB

Edit and extend the basic policy to log:

1. namespaces changes at RequestResponse

2. Log the request body of secrets changes in the namespace kube-system.

3. Log all other resources in core and extensions at the Request level.

4. Log "pods/portforward", "services/proxy" at Metadata level.

5. Omit the Stage RequestReceived

All other requests at the Metadata level

AExplanation:
Kubernetes auditing provides a security-relevant chronological set of records about a cluster. Kube-apiserver performs auditing. Each request on each stage of its execution generates an event, which is then pre-processed according to a certain policy and written to a backend. The policy determines what's recorded and the backends persist the records.
You might want to configure the audit log as part of compliance with the CIS (Center for Internet Security) Kubernetes Benchmark controls.
The audit log can be enabled by default using the following configuration incluster.yml:
services:
kube-api:
audit_log:
enabled: true
When the audit log is enabled, you should be able to see the default values at/etc/kubernetes/audit-policy.yaml
The log backend writes audit events to a file inJSONlinesformat. You can configure the log audit backend using the followingkube-apiserverflags:
--audit-log-pathspecifies the log file path that log backend uses to write audit events. Not specifying this flag disables log backend.-means standard out
--audit-log-maxagedefined the maximum number of days to retain old audit log files
--audit-log-maxbackupdefines the maximum number of audit log files to retain
--audit-log-maxsizedefines the maximum size in megabytes of the audit log file before it gets rotated
If your cluster's control plane runs the kube-apiserver as a Pod, remember to mount thehostPathto the location of the policy file and log file, so that audit records are persisted. For example:
--audit-policy-file=/etc/kubernetes/audit-policy.yaml \
--audit-log-path=/var/log/audit.log

Show Suggested Answer

Suggested Answer: A

by Hoa at Feb 03, 2023, 08:11 AM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

1 months ago

This is a well-thought-out question. The details around the CIS Kubernetes Benchmark and the ability to configure the audit log backend are a nice touch.

upvoted 0 times

Phung

7 days ago

We need to make sure the log files are stored at /var/log/kubernetes-logs.txt.

upvoted 0 times

...

Malinda

20 days ago

Yes, it helps track all the requests and events happening in the cluster.

upvoted 0 times

...

Nikita

29 days ago

I think enabling audit logs in the cluster is crucial for security.

upvoted 0 times

...

2 months ago

Enabling audit logs in the cluster is crucial for security and compliance. The instructions provided cover the key aspects well, like log file path, retention period, and rotation settings.

upvoted 0 times