For example, if you want to know who deleted a resource in the cluster, you can use the below query to drill down to the information:
Use case 2: Troubleshoot permission- and privilege-related RBAC policy issues
When you look at the Status Code Stats widget on the dashboard, there are status codes above 400. To learn more, click the error code, which will direct you to the events that led to this issue. You can use the query language filter below to determine the root cause.
logtype="Kubernetes Audit Logs" and responsestatus_code=403 and verb="list" groupby username
The above query will display the list of users who performed the list action. You can click any username to find the reason for the 403 error.
logtype="Kubernetes Audit Logs" and responsestatus_code=403 and verb="list" and username="system:serviceaccount:default:demo"
The results below show that the demo user did not have access to the pod, resulting in the error. You can take remediation actions accordingly.
To keep track of everything happening in your cluster, you need to monitor your Kubernetes audit logs with Site24x7 AppLogs. Feel free to drop your feedback, suggestions, and feature requests as comments below.
Until next time,
Happy logging!