Kubernetes audit logging is enabled and covers authentication, API calls, and RBAC denials

Why it matters

Without Kubernetes audit logging, there is no record of who accessed secrets, which pods were created, or when RBAC permissions were changed — post-incident forensics become guesswork (NIST 800-53 AU-2, AU-12). Adversaries routinely enumerate cluster resources, read secrets, and create privileged pods during an attack, then clean up their traces. Audit logs are the only evidence of these actions. CIS Kubernetes 3.2.1 mandates audit policy configuration. An audit policy that covers fewer than 3 event categories misses either authentication failures or RBAC denials — the two most actionable security signals in a cluster.

Remediation

Create an audit policy file at /etc/kubernetes/audit-policy.yaml and enable it on the API server. Minimum viable policy covering authentication, secret access, and RBAC:

apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
  - RequestReceived
rules:
  - level: RequestResponse
    resources:
      - group: ""
        resources: ["secrets"]
  - level: Metadata
    verbs: ["create", "delete", "update", "patch"]
  - level: Metadata
    nonResourceURLs: ["/api*", "/version"]
  - level: None
    users: ["system:kube-proxy"]

Add to the kube-apiserver startup args: --audit-policy-file=/etc/kubernetes/audit-policy.yaml --audit-log-path=/var/log/kubernetes/audit.log --audit-log-maxage=30. Forward logs to your centralized logging system.

Detection

ID: infrastructure-hardening.monitoring-incident-response.audit-logging
Severity: medium
What to look for: Check Kubernetes API server configuration for an audit log policy file (typically at /etc/kubernetes/audit-policy.yaml or cloud provider equivalent). List all audit policy rules defined. Count the event types covered (authentication, authorization/RBAC denials, pod creation, secret access). Verify at minimum 3 of these event categories are captured.
Pass criteria: Kubernetes audit logging is enabled with an audit policy that captures at least metadata level for RequestReceived, ResponseStarted, and ResponseComplete stages. At minimum 3 event categories are covered: authentication attempts, API calls, and RBAC denials. Report even on pass: "Audit policy covers X event categories at Y logging level."
Fail criteria: Audit logging is not enabled, or the audit policy covers fewer than 3 event categories (missing RBAC denials or authentication events).
Skip (N/A) when: The project does not use Kubernetes.
Detail on fail: Quote the configuration gap. Example: "Kubernetes audit logging is not configured. kube-apiserver does not specify --audit-log-path or --audit-policy-file."

Remediation: Enable Kubernetes audit logging. Create an audit policy:

# /etc/kubernetes/audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  # Log all requests at Metadata level
  - level: Metadata
    omitStages:
      - RequestReceived
  # Log pod exec at RequestResponse level
  - level: RequestResponse
    verbs: ["exec"]
    resources:
      - group: ""
        resources: ["pods", "pods/exec"]

Add to kube-apiserver:

--audit-policy-file=/etc/kubernetes/audit-policy.yaml
--audit-log-path=/var/log/kubernetes/audit.log
--audit-log-maxage=30
--audit-log-maxbackup=10

Why it matters

Remediation

Create an audit policy file at /etc/kubernetes/audit-policy.yaml and enable it on the API server. Minimum viable policy covering authentication, secret access, and RBAC:

apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
  - RequestReceived
rules:
  - level: RequestResponse
    resources:
      - group: ""
        resources: ["secrets"]
  - level: Metadata
    verbs: ["create", "delete", "update", "patch"]
  - level: Metadata
    nonResourceURLs: ["/api*", "/version"]
  - level: None
    users: ["system:kube-proxy"]

Detection

ID: infrastructure-hardening.monitoring-incident-response.audit-logging
Severity: medium
What to look for: Check Kubernetes API server configuration for an audit log policy file (typically at /etc/kubernetes/audit-policy.yaml or cloud provider equivalent). List all audit policy rules defined. Count the event types covered (authentication, authorization/RBAC denials, pod creation, secret access). Verify at minimum 3 of these event categories are captured.
Pass criteria: Kubernetes audit logging is enabled with an audit policy that captures at least metadata level for RequestReceived, ResponseStarted, and ResponseComplete stages. At minimum 3 event categories are covered: authentication attempts, API calls, and RBAC denials. Report even on pass: "Audit policy covers X event categories at Y logging level."
Fail criteria: Audit logging is not enabled, or the audit policy covers fewer than 3 event categories (missing RBAC denials or authentication events).
Skip (N/A) when: The project does not use Kubernetes.
Detail on fail: Quote the configuration gap. Example: "Kubernetes audit logging is not configured. kube-apiserver does not specify --audit-log-path or --audit-policy-file."

Remediation: Enable Kubernetes audit logging. Create an audit policy:

# /etc/kubernetes/audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  # Log all requests at Metadata level
  - level: Metadata
    omitStages:
      - RequestReceived
  # Log pod exec at RequestResponse level
  - level: RequestResponse
    verbs: ["exec"]
    resources:
      - group: ""
        resources: ["pods", "pods/exec"]

Add to kube-apiserver:

--audit-policy-file=/etc/kubernetes/audit-policy.yaml
--audit-log-path=/var/log/kubernetes/audit.log
--audit-log-maxage=30
--audit-log-maxbackup=10

Kubernetes audit logging is enabled and covers authentication, API calls, and RBAC denials

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Kubernetes audit logging is enabled and covers authentication, API calls, and RBAC denials

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History