Audit logs are used to monitor the system and search for suspicious behavior. Host and Kubernetes API audit logging can be enabled to produce extra audit logs for analysis. Enabling audit logging is optional. If enabled it generates some load and data on the non-compute nodes (NCNs).
By default, host and Kubernetes API audit logging are not enabled. It is not required for both to be enabled or disabled at the same time.
Host audit logs are stored in the /var/log/audit/HostOS
directory on each NCN.
Host audit logging uses a maximum of 60GB on each NCN when using log rotation settings.
The log rotation settings are enabled after editing the CSI settings and rebooting the NCNs.
The Kubernetes API audit logs are stored in the /var/log/audit/kl8s/apiserver
directory on each master NCN.
Kubernetes API audit logging uses a maximum of 1GB on each master NCN when using log rotation settings.
The method for updating the audit log settings varies depending on the state of the system.
Select one of the following options to enable audit logging based on the installation status of the system. For each of the following options, only enable the desired level of audit logging. It is not required to enable both.
NOTE: This step needs to happen at the same time that csi config init
is normally run during system installation.
(pit#
) To update the audit log settings during the installation, use one of the following options:
csi
toolDuring the installation, audit logging is enabled or disabled by modifying the CSI settings.
To enable or disable audit logging, use the following flags with the csi config init
command.
For more information on using flags, see csi config init -h
.
Host audit logging
Set to true
to enable host logging or to false
to disable host logging.
csi config init --ncn-mgmt-node-auditing-enabled=true [other config init options]
Kubernetes API audit logging
Set to true
to enable Kubernetes API logging or to false
to disable Kubernetes API logging.
csi config init --k8s-api-auditing-enabled=true [other config init options]
system_config.yaml
Adjust the audit log settings by editing the system_config.yaml
file.
View the current settings with the following command:
cd /var/www/ephemeral/prep
grep audit system_config.yaml
Example output:
k8s-api-auditing-enabled: false
ncn-mgmt-node-auditing-enabled: false
csi
tool after CSM install(ncn-mw#
) Enable audit logging using the csi
tool on ncn-m001
.
Install the csi
tool if it is not already installed.
If the csi
command is not installed, then install the cray-site-init
RPM.
zypper install cray-site-init
Acquire an authentication token.
export TOKEN=$(curl -k -s -S -d grant_type=client_credentials -d client_id=admin-client \
-d client_secret=`kubectl get secrets admin-client-auth -o jsonpath='{.data.client-secret}' | base64 -d` \
https://api-gw-service-nmn.local/keycloak/realms/shasta/protocol/openid-connect/token | jq -r '.access_token')
Enable audit logging.
Host audit logging
csi handoff bss-update-cloud-init --set meta-data.ncn-mgmt-node-auditing-enabled=true --limit Global
Kubernetes API audit logging
csi handoff bss-update-cloud-init --set meta-data.k8s-api-auditing-enabled=true --limit Global
Example output:
2025/03/03 11:30:25 Getting management NCNs from SLS...
2025/03/03 11:30:25 Done getting management NCNs from SLS.
2025/03/03 11:30:25 Updating NCN cloud-init parameters...
2025/03/03 11:30:25 Successfully PUT BSS entry for Global
2025/03/03 11:30:25 Done updating NCN cloud-init parameters.
This section is only necessary if the audit logging settings were changed after the CSM install. If the desired audit logging settings were made as part of the CSM install, then skip this section.
Rebuild each NCN to apply the new settings after the CSI setting is changed.
Follow the Rebuild NCNs procedure.
The Install and Upgrade Framework (IUF) can also be used to rebuild the NCNs. Refer to the IUF Management Node Rollout documentation for more information.
Changes made post-install will not be reflected until after the NCN is rebuilt.
(ncn#
) Host audit logging
craysys metadata get ncn-mgmt-node-auditing-enabled
(ncn#
) Kubernetes API audit logging
craysys metadata get k8s-api-auditing-enabled