Why isn't the request body showing up in the Kubernetes API server audit log?

Question

I have added the following command-line arguments to kube-apiserver to enable audit logging:

- --audit-log-path=/tmp/k8s-audit.log
- --audit-policy-file=/etc/kubernetes/audit.yaml
- --audit-log-maxage=1
- --audit-log-maxsize=100
- --audit-log-maxbackup=1

The contents of /etc/kubernetes/audit.yaml is:

apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
  - "ResponseStarted"
  - "ResponseComplete"
rules:
  - level: RequestResponse

I have run a command with verbose logging, so that I can see the request body:

$ kubectl --v=10 uncordon cluster-worker2

And the kubectl command logs the request body as follows:

I0328 09:00:07.591869   47228 request.go:942] Request Body: {"spec":{"unschedulable":null}}

But I don't see this request body anywhere in the audit log file on the kubernetes server. What's wrong with my configuration?

do you have more than one API Server and if yes then checked in all of them ? — Arghya Sadhu, Mar 28 '20 at 09:35
@ArghyaSadhu no, there is only one API server. I am using Kind (Kubernetes in docker). — Robin Green, Mar 28 '20 at 09:41
Can you try an alternative command like `kubectl get pods`? Does that show up with a `RequestReceived`? — Chris Stryczynski, Mar 29 '20 at 10:13

score 1 · Accepted Answer · answered Mar 29 '20 at 19:50

The request is actually only logged in the ResponseComplete stage, somewhat unexpectedly. Even though Kubernetes could theoretically log the request as soon as it receives it, it doesn't.

So it's necessary to remove the ResponseComplete line from the omitstages in the policy configuration file (audit.yaml).

Why isn't the request body showing up in the Kubernetes API server audit log?

1 Answers1