Kubernetes audit logging is enabled and covers authentication, API calls, and RBAC denials

ab-001642 · infrastructure-hardening.monitoring-incident-response.audit-logging

Severity: mediumactive

Why it matters

Without Kubernetes audit logging, there is no record of who accessed secrets, which pods were created, or when RBAC permissions were changed — post-incident forensics become guesswork (NIST 800-53 AU-2, AU-12). Adversaries routinely enumerate cluster resources, read secrets, and create privileged pods during an attack, then clean up their traces. Audit logs are the only evidence of these actions. CIS Kubernetes 3.2.1 mandates audit policy configuration. An audit policy that covers fewer than 3 event categories misses either authentication failures or RBAC denials — the two most actionable security signals in a cluster.

Severity rationale

Medium because absent audit logs make post-incident forensics impossible, but the gap is detected during investigation rather than enabling direct data exfiltration.

Remediation

Create an audit policy file at /etc/kubernetes/audit-policy.yaml and enable it on the API server. Minimum viable policy covering authentication, secret access, and RBAC:

apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
  - RequestReceived
rules:
  - level: RequestResponse
    resources:
      - group: ""
        resources: ["secrets"]
  - level: Metadata
    verbs: ["create", "delete", "update", "patch"]
  - level: Metadata
    nonResourceURLs: ["/api*", "/version"]
  - level: None
    users: ["system:kube-proxy"]

Add to the kube-apiserver startup args: --audit-policy-file=/etc/kubernetes/audit-policy.yaml --audit-log-path=/var/log/kubernetes/audit.log --audit-log-maxage=30. Forward logs to your centralized logging system.

Detection

ID: audit-logging
Severity: medium
What to look for: Check Kubernetes API server configuration for an audit log policy file (typically at /etc/kubernetes/audit-policy.yaml or cloud provider equivalent). List all audit policy rules defined. Count the event types covered (authentication, authorization/RBAC denials, pod creation, secret access). Verify at minimum 3 of these event categories are captured.
Pass criteria: Kubernetes audit logging is enabled with an audit policy that captures at least metadata level for RequestReceived, ResponseStarted, and ResponseComplete stages. At minimum 3 event categories are covered: authentication attempts, API calls, and RBAC denials. Report even on pass: "Audit policy covers X event categories at Y logging level."
Fail criteria: Audit logging is not enabled, or the audit policy covers fewer than 3 event categories (missing RBAC denials or authentication events).
Skip (N/A) when: The project does not use Kubernetes.
Detail on fail: Quote the configuration gap. Example: "Kubernetes audit logging is not configured. kube-apiserver does not specify --audit-log-path or --audit-policy-file."

Remediation: Enable Kubernetes audit logging. Create an audit policy:

# /etc/kubernetes/audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  # Log all requests at Metadata level
  - level: Metadata
    omitStages:
      - RequestReceived
  # Log pod exec at RequestResponse level
  - level: RequestResponse
    verbs: ["exec"]
    resources:
      - group: ""
        resources: ["pods", "pods/exec"]

Add to kube-apiserver:

--audit-policy-file=/etc/kubernetes/audit-policy.yaml
--audit-log-path=/var/log/kubernetes/audit.log
--audit-log-maxage=30
--audit-log-maxbackup=10

External references

nist:rev5 · AU-2 — Event Logging
nist:rev5 · AU-12 — Audit Record Generation
external · CIS-Kubernetes-3.2.1 — CIS Kubernetes Benchmark §3.2.1 — Ensure that a minimal audit policy is created

Taxons

observability

History

2026-04-18·v1.0.0·Initial import from infrastructure-hardening·automated