Kubernetes Audit Log (AKS)

What Are Kubernetes Audit Logs?

Kubernetes Audit Logs track all requests made to the Kubernetes API Server. They record what happened, when it happened, who made the request, and what the outcome was. Think of them as a security camera watching everything that hits your Kubernetes API.


Structure of a Kubernetes Audit Log Event

Each audit log event is a JSON object with several standard fields.

Here’s the main structure:

{
  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "RequestResponse",
  "timestamp": "2025-04-05T10:20:30Z",
  "auditID": "abc123-456def-789ghi",
  "stage": "ResponseComplete",
  "requestURI": "/api/v1/namespaces/default/pods",
  "verb": "create",
  "user": {
    "username": "system:serviceaccount:default:myserviceaccount",
    "groups": ["system:serviceaccounts", "system:authenticated"]
  },
  "sourceIPs": ["10.0.0.1"],
  "userAgent": "kubectl/v1.26.0 (linux/amd64)",
  "objectRef": {
    "resource": "pods",
    "namespace": "default",
    "name": "my-pod"
  },
  "responseStatus": {
    "metadata": {},
    "code": 201
  },
  "requestObject": { },
  "responseObject": { },
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": "RBAC: allowed by RoleBinding"
  }
}

Key Fields You Should Know

Field
What It Means

kind

Always Event for audit logs

apiVersion

Audit log schema version (e.g., audit.k8s.io/v1)

level

Level of detail: Metadata, Request, RequestResponse

timestamp

When the request happened

auditID

Unique ID for tracking this event

stage

Stage of the request: RequestReceived, ResponseStarted, ResponseComplete, Panic

requestURI

API endpoint that was called

verb

Action performed: get, list, create, delete, patch, etc.

user

Identity of the user or service account making the request

sourceIPs

IP addresses of the client

userAgent

Client info (kubectl, dashboard, app, etc.)

objectRef

Which object (e.g., Pod, Service) was accessed

responseStatus

Status code (e.g., 200 OK, 201 Created, 403 Forbidden)

requestObject

The full object sent in the request (optional based on level)

responseObject

The full object returned in the response (optional based on level)

annotations

Extra info like why the request was allowed or denied (e.g., RBAC decision)

Understanding Level

The level field controls how much detail the audit log has:

Level
What is Captured

Metadata

Only metadata about the request (no body)

Request

Metadata + request body

RequestResponse

Metadata + request body + response body

None

No logging at all (usually not recommended)


Understanding Stage

The stage tells you how far the request got:

Stage
Meaning

RequestReceived

API Server got the request

ResponseStarted

Started sending the response

ResponseComplete

Finished sending the response

Panic

Server crashed while handling


Example Scenarios You Can Detect in Audit Logs

Scenario
What to Look For

Unauthorized Access Attempt

responseStatus.code = 403

Successful Pod Deletion

verb = delete and resource = pods and responseStatus.code = 200

Creating a Secret

verb = create and resource = secrets

Changing Roles or RoleBindings

resource = roles or rolebindings

Access from Suspicious IP

Unrecognized sourceIPs

Excessive API Calls (Brute Force)

Repeated requestURI hits in a short time


Kubernetes Audit Policies

You control what gets logged using an Audit Policy.

A policy tells Kubernetes:

  • Which users/resources to log

  • What level (Metadata, Request, etc.)

  • What stages (RequestReceived, ResponseComplete, etc.)

You define the audit policy in YAML format and pass it to the API Server using the --audit-policy-file flag.

Example of a simple policy:

yamlCopyEditapiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
  verbs: ["create", "update", "delete"]
  resources:
  - group: ""
    resources: ["pods", "services"]

This policy logs all create, update, and delete actions on pods and services with full request and response data.

Common Verbs

Verb
Meaning
Example Use Case
Threat Hunting Tip

get

Read a single resource

kubectl get pod mypod

Very common. Look for get on secrets by unusual users.

list

Read multiple resources

kubectl get pods

Normal in day-to-day operations.

watch

Watch for changes

Used by apps/controllers.

Attackers might watch pods/nodes for recon.

create

Create a new resource

kubectl create deployment myapp

🚩 Critical to monitor — who’s creating new deployments/pods/roles?

delete

Delete a resource

kubectl delete pod mypod

🚩 Unexpected deletes can be destructive or hide attacks.

update

Update a resource

kubectl edit deployment myapp

🚩 Watch updates to sensitive resources like RBAC or Secrets.

patch

Partial update of a resource

kubectl patch deployment myapp

🚩 Sometimes used by attackers to escalate privileges quietly.

proxy

Access services through API server

kubectl proxy

🚩 Watch proxy use — it could mean someone is tunneling into your cluster.

bind

Bind a role to a user/service account

Rare outside of RBAC setup

🚩 Unauthorized bind could mean RBAC abuse.

impersonate

Act as another user/service account

Service Meshes sometimes do this

🚩 Rare — watch carefully for impersonations.


In Summary

Concept
Key Point

Audit Log Event

JSON object describing one API request

Key Fields

timestamp, user, verb, objectRef, responseStatus, etc.

Levels

Metadata, Request, RequestResponse

Stages

RequestReceived, ResponseStarted, ResponseComplete, Panic

Policy

Defines what is logged and at what detail level

Use Cases

Monitor security, investigate incidents, detect threats

Last updated