Viewing Kubernetes API Server Audit Logs

Find out how to view operations of both Container Engine for Kubernetes (OKE) and the Kubernetes API server as log events in the Oracle Cloud Infrastructure Audit.

It's often useful to understand the context behind activities happening in a cluster. For example, to perform compliance checks, to identify security anomalies, and to troubleshoot errors by identifying who did what and when.

You can use the Oracle Cloud Infrastructure Audit service to view all operations performed by:

  • Container Engine for Kubernetes, which emits audit events whenever you perform actions on a cluster, such as create and delete.
  • The Kubernetes API server, which emits audit events whenever you use tools like kubectl to make administrative changes to a cluster, such as creating a service. Kubernetes API server audit events are shown in the Oracle Cloud Infrastructure Audit service for clusters running Kubernetes version 1.13.x (or later). Note that events are only shown from 15 July, 2020 onward.

Note that in addition to viewing operations as described in this topic, you can also:

Using the Console

To view operations performed by Container Engine for Kubernetes and the Kubernetes API server as log events in the Oracle Cloud Infrastructure Audit service:

  1. Open the navigation menu, click Identity & Security, and then click Audit
  2. Choose a Compartment you have permission to work in.
  3. Search and filter to show the operations you're interested in:

    • To view operations performed by Container Engine for Kubernetes, enter ClustersAPI in the Keywords field and click Search.
    • To view operations performed by the Kubernetes API server, enter OKE API Server Admin Access in the Keywords field and click Search.

    For more information about using the Oracle Cloud Infrastructure Audit service, see Viewing Audit Log Events.