CNCFKubernetesSecurityIntermediate26 min read

What Is Audit Logging? Security Definition

Also known as: audit logging, kubernetes audit log, CKS audit logging, audit policy kubernetes, what is audit logging

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Audit logging is like a security camera that records every action in your system. It writes down who accessed what, what changes were made, and when it all happened. These logs help you investigate problems, catch unauthorized activity, and prove compliance with security rules.

Must Know for Exams

The Certified Kubernetes Security Specialist (CKS) exam tests your ability to secure a Kubernetes cluster in production. Audit logging is a major topic on that exam, appearing under the domain "Cluster Setup and Hardening" and specifically in the context of "Implement audit logging." You must know how to configure the Kubernetes API server to produce audit logs, how to write an audit policy YAML file, and how to route those logs to a file or external service.

In the CKS exam, you are given a terminal and a cluster, and you are asked to perform tasks such as enabling audit logging on a running cluster, creating a custom audit policy that logs only specific events (like all requests in the kube-system namespace or all delete operations), or configuring a webhook backend to send logs to a simulated SIEM. You must also know the different audit levels (None, Metadata, Request, RequestResponse) and when to use each one. A typical exam question might ask you to create an audit policy that logs all requests to secrets at the RequestResponse level but only logs metadata for less sensitive resources.

The CKS exam also tests your ability to interpret audit logs. You might be given a scenario where a cluster has been compromised and you must examine the audit logs to identify the attacker's actions, such as the creation of a privileged pod or the deletion of a network policy. You need to understand the structure of an audit log entry, including the kind, apiVersion, level, stage, requestURI, user, sourceIPs, and objectRef fields.

Beyond the CKS, audit logging is tested in other security certifications like the CompTIA Security+, CISSP, and Certified Information Security Manager (CISM). In these broader exams, the focus is less on the Kubernetes-specific implementation and more on the general principles of logging, log management, and legal admissibility. You might see questions about log retention policies, the importance of time synchronization (NTP), and the need to protect logs from tampering. The CKS, however, goes into the deepest technical detail because you are expected to configure the system yourself.

To do well on the CKS exam, you should practice writing audit policy files from scratch. You should understand the difference between the audit stages (RequestReceived, ResponseStarted, ResponseComplete, Panic) and know that most policies log at ResponseComplete. You should also be familiar with the command-line flags for the kube-apiserver binary, especially --audit-policy-file, --audit-log-path, --audit-log-maxsize, --audit-log-maxbackup, and --audit-log-maxage. These flags appear in configuration files and in the exam tasks.

Simple Meaning

Imagine you are the manager of a large office building. Every person who enters the building must swipe an ID card at the front door and at every door they go through. A central computer records every single swipe: which card was used, which door was opened, and the exact time. If someone breaks into a locked office at 2 AM, you can look at the record to see which card was used and when. This is exactly what audit logging does for computer systems, but at a much more detailed level.

In the digital world, audit logging works the same way. Every time a user logs into a server, every time a file is read or changed, every time a network connection is made, and every time a configuration setting is updated, the system writes a log entry. That entry typically includes the user's identity, the action they performed, the exact time, the source IP address, and the result of the action (success or failure). These logs are stored in a special place where they cannot be easily altered or deleted, even by system administrators.

Think of audit logs as the black box in an airplane. When everything is fine, nobody looks at it. But when something goes wrong, that record becomes the most important source of truth. It tells you exactly what happened, step by step, so you can understand root causes, identify who or what is responsible, and take corrective action. Without audit logging, you would be flying blind, unable to explain how a system was compromised or why a critical change was made.

The key idea is that audit logs are not just any logs. They are structured, secure, and designed to be a trusted record of events. They are often required by regulations like GDPR, HIPAA, PCI DSS, and SOC 2. For IT professionals, especially those working in cybersecurity or cloud infrastructure, audit logging is a fundamental tool for security monitoring, incident response, and compliance reporting.

Full Technical Definition

Audit logging is the systematic recording of events that occur within an information system, creating a chronological, non-repudiable trail of activities. In Kubernetes environments, audit logging is a core security feature implemented by the API server. The Kubernetes API server can be configured to log every request it receives, including details such as the user who made the request, the request verb (get, list, create, update, delete, patch), the resource affected (pod, service, secret, configmap), the request body, the response body, the source IP, and the timestamp.

Kubernetes audit logs are generated at multiple levels of verbosity. The audit level determines how much detail is captured for each event. The available levels are None (no logging), Metadata (logs user, timestamp, and resource, but not request or response body), Request (logs metadata plus the request body), and RequestResponse (logs everything including the response body). Choosing the right level is a balance between security visibility and storage cost.

Kubernetes audit policies are defined in YAML files that specify which events to log and at what level. These policies are passed to the API server via the --audit-policy-file flag. The policy can filter by user, group, namespace, resource type, verb, or stage. The stages of an audit event are RequestReceived, ResponseStarted, ResponseComplete, and Panic. Most production systems log at the ResponseComplete stage, meaning the log entry is written after the API server has sent the full response to the client.

The audit logs themselves can be sent to various backends. The most common backend is a log file written to the host filesystem, but Kubernetes also supports webhook backends that send logs to an external logging service like Splunk, Elasticsearch, or a security information and event management (SIEM) system. For cloud-native environments, audit logs are often streamed to a centralized logging platform where they are indexed, searched, and retained for long periods.

From a security perspective, audit logs must be protected against tampering. This is achieved by storing them in append-only mode, using log rotation, and ensuring that only authorized and audited processes can write to the log stream. In Kubernetes, the audit log file should be stored on a separate disk or persistent volume that is not accessible to the pods it monitors. Additionally, audit log files should be regularly backed up and monitored for signs of unauthorized modification.

In the context of the CNCF CKS (Certified Kubernetes Security Specialist) exam, audit logging is a critical topic. Candidates must know how to enable audit logging, create and apply audit policies, interpret audit log entries, and use logs to detect security incidents. The exam expects you to understand the trade-offs between different audit levels and to configure logging that meets the security requirements of a real-world cluster without overwhelming the storage system.

Real-Life Example

Think of a bank vault that stores safety deposit boxes. The vault has a heavy door with a combination lock and a keypad that records every entry. Every time a bank employee opens the vault, the system logs their employee ID, the time they entered, and the time they left. If a customer complains that jewelry is missing from their box, the bank manager can review the vault access log to see exactly which employees were in the vault during the relevant time window. This log is the audit trail.

Now, within the vault, there are multiple boxes. Each box requires two keys: one held by the customer and one held by the bank. When an employee accesses a specific box, they must also log the box number and the reason for access. This creates a second layer of audit logging. If someone tries to access a box without a valid reason, the system flags that entry for review.

In the IT world, the bank vault is your Kubernetes cluster. The vault door log is the Kubernetes API server audit log. It records every request to the API, including who made it, what they wanted to do, and whether it succeeded. The individual box access log is equivalent to logging inside a pod or application. For example, if a developer tries to delete a critical secret (like a database password), the audit log will show their username, the time, the namespace, and the fact that they issued a delete request for that secret. If the secret was actually deleted, the log will also confirm the success.

The bank manager can use the vault log to detect patterns: if one employee enters the vault every night at 2 AM, that is suspicious. Similarly, a security analyst can query the Kubernetes audit log to find all requests from a particular user that happened outside business hours, or all delete operations on secrets in the production namespace. The analogy holds because both systems rely on a trusted, unalterable record of events to provide accountability and enable investigation.

Why This Term Matters

Audit logging matters because it is the only way to achieve accountability in modern, complex IT systems. In a typical enterprise, hundreds or thousands of users, services, and automated processes interact with the infrastructure every second. Without audit logs, you have no way to determine who caused a problem, when it started, or how to fix it. This lack of visibility is a serious security and operational risk.

In a Kubernetes cluster, audit logging is especially critical because the API server is the single control point. Every kubectl command, every pod creation, every configuration change goes through the API server. If a cluster is compromised, the audit log is often the most valuable source of forensic evidence. It can show you the exact moment an attacker gained access, which credentials they used, what resources they created or modified, and what data they exfiltrated.

For compliance, audit logging is often mandatory. Regulations like the Payment Card Industry Data Security Standard (PCI DSS) require that all access to cardholder data is logged and that logs are reviewed regularly. The Health Insurance Portability and Accountability Act (HIPAA) requires an audit trail of all access to protected health information. The General Data Protection Regulation (GDPR) requires organizations to be able to demonstrate that personal data is processed securely, which often depends on audit logs. Failing to maintain proper audit logs can result in fines, legal liability, and loss of customer trust.

Beyond security and compliance, audit logs are essential for troubleshooting and root cause analysis. When a service goes down at 3 AM, the operations team can look at the audit logs to see if any configuration changes were made shortly before the incident. This can save hours or days of investigation time. In complex microservices environments, audit logs from different systems can be correlated to reconstruct a timeline of events across multiple components.

Finally, audit logs support internal governance and change management. Organizations can use them to verify that changes were approved and properly tested before being applied to production. They also deter insider threats, because employees know that their actions are being recorded and can be reviewed later. In short, audit logging is not a nice-to-have feature; it is a fundamental component of a mature, secure, and well-managed IT operation.

How It Appears in Exam Questions

On the CKS exam, audit logging questions typically fall into a few patterns. The first is configuration questions. You will be asked to enable audit logging on a cluster that has it disabled. You need to modify the kube-apiserver manifest file (usually located at /etc/kubernetes/manifests/kube-apiserver.yaml on control plane nodes) to add the required --audit-* flags and mount the audit policy file and log directory. You must also create the audit policy YAML file itself. For example, the question might say: "Create an audit policy at /etc/kubernetes/audit-policy.yaml that logs all requests to secrets at the RequestResponse level and logs all other requests at the Metadata level."

The second pattern is troubleshooting questions. You might be given a scenario where audit logging is enabled but not working. You have to check the API server logs to find errors, verify that the audit policy file is valid YAML, ensure the log path is writable, and confirm that the webhook backend (if configured) is reachable. The exam may present you with a broken configuration and ask you to fix it.

The third pattern is interpretation questions. You are shown a snippet of an audit log entry and asked questions about it, such as: "What user made this request?", "What resource was affected?", "Was the request successful?", or "What is the source IP?" You need to be able to read the JSON structure of a Kubernetes audit log event and extract key fields.

The fourth pattern is design questions. You might be asked to recommend an audit policy for a specific use case. For example: "Your organization needs to monitor all changes to roles and clusterroles for compliance purposes. Which audit level and which resources should you log?" The correct answer is to log changes to rbac.authorization.k8s.io resources at the Request level, and to log the request body so that you can see exactly what privileges were granted.

Finally, there are integration questions where audit logging is used in combination with other security features. For instance, you might be asked to configure audit logging and then use Falco (another CNCF security tool) to detect anomalous behavior based on the audit logs. The CKS exam tests your ability to build a layered security defense, and audit logs are the foundation of that defense.

Study cncf-cks

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are the IT security engineer for a company that runs a Kubernetes cluster for its online payment system. One morning, the finance team reports that a customer's payment data may have been exposed. You are asked to investigate.

First, you check the audit logs on the Kubernetes control plane node. You look at the entries from the time window when the exposure likely occurred. You see a series of entries from user "developer-kiran" who used kubectl with a bearer token to list secrets in the production namespace. The audit log shows that the request was made at 2:15 AM on Saturday and that the API server responded with the secret data because the request was successful. The audit level for that request is RequestResponse, so the log even contains the full secret data in the response body.

From this audit log, you now know exactly which secret was exposed, who accessed it, and when. You can immediately revoke the developer's credentials, rotate the exposed secret, and initiate a formal incident response. Without the audit log, you would have no evidence and would have to guess at the cause.

Now, you check the audit policy that was applied to the cluster. It turns out that the policy was configured to log all requests at the Metadata level only, which means that secret data should not have been logged. However, because a cluster administrator had temporarily changed the policy to RequestResponse for debugging purposes and forgotten to revert it, the sensitive data was captured in the log file itself. This introduces a new problem: the audit log file itself becomes a sensitive container. You must now ensure the log file is encrypted and access is strictly controlled. This scenario shows both the power and the risk of audit logging: it gives you the evidence you need, but it also forces you to protect that evidence carefully.

Common Mistakes

Using the Metadata audit level for all resources because it is the default and uses less storage.

Metadata level does not log the request or response body. This means if a secret is accessed, you will see that someone accessed a secret, but you will not see which secret or what data was returned. This makes it nearly impossible to investigate a data breach effectively.

Log sensitive resources like secrets, configmaps, and tokens at the Request or RequestResponse level. Use Metadata only for low-sensitivity resources like pods or services where you only need to know that an access occurred.

Storing audit logs on the same disk as the Kubernetes API server binary or etcd data.

If an attacker compromises the control plane node, they can delete or modify the audit logs to cover their tracks. This defeats the purpose of audit logs as a trusted record.

Store audit logs on a separate persistent volume, ideally on a different storage system. Use log shipping to send copies to a centralized, immutable logging platform like Elasticsearch or Splunk.

Setting the audit log retention to an extremely long time (e.g., 5 years) without considering storage costs and performance impact.

Audit logs can grow very large very quickly, especially at higher verbosity levels. Without proper log rotation and retention limits, the log file can fill up the disk, causing the API server to crash or stop responding.

Set realistic retention policies using the --audit-log-maxsize, --audit-log-maxbackup, and --audit-log-maxage flags. Retain logs for 90-365 days for compliance, and archive older logs to cheaper storage.

Not testing the audit policy before applying it to a production cluster.

A misconfigured audit policy can log too much data (causing performance degradation) or too little data (missing critical events). A syntax error in the YAML file can cause the API server to fail to start.

Test the audit policy in a staging environment. Use kubectl commands to generate events and verify that the logs contain the expected detail. Validate the YAML syntax with a linter before applying it.

Assuming that enabling audit logging is enough for security, without monitoring the logs regularly.

Audit logs are useless if nobody reads them. An attacker can perform malicious actions for weeks without detection if the logs are not actively monitored or ingested into a SIEM system.

Integrate audit logs with a centralized monitoring system and set up alerts for suspicious patterns, such as repeated failed login attempts, access to secrets outside business hours, or deletion of audit policies.

Exam Trap — Don't Get Fooled

On the CKS exam, a question may ask you to enable audit logging but only provide the --audit-log-path flag without the --audit-policy-file flag. Remember that audit logging in Kubernetes requires both a log path and a policy file. Without a policy file, the API server will default to a policy that logs nothing (or logs everything at the None level, depending on the version).

Always verify that both flags are present in the API server manifest. If the policy file is missing, create one and mount it into the API server pod.

Commonly Confused With

Audit LoggingvsEvent Logging

Audit logging specifically records security-relevant actions like authentication, authorization, and resource changes for accountability and compliance. Event logging is a broader category that includes system events like CPU usage, memory errors, and application crashes. Event logs are useful for performance monitoring, while audit logs are essential for security investigations.

An event log might record that a pod was restarted due to an out-of-memory error. An audit log would record that a user with credentials 'admin' issued a 'kubectl delete pod' command at 3:00 PM.

Audit LoggingvsMetrics

Metrics are numerical measurements collected over time, such as the number of requests per second or the percentage of CPU used. Audit logs are detailed textual records of individual events. Metrics tell you how much is happening, while audit logs tell you exactly what happened. You use metrics for dashboards and trend analysis, and audit logs for forensic investigation.

A metric might show that secret access requests spiked to 100 per hour. The audit log would then reveal that a single automated script was making those requests repeatedly.

Audit LoggingvsTracing

Tracing (distributed tracing) follows the path of a single request as it travels through multiple microservices, showing timing and dependencies. Audit logging records security events at a single system boundary, such as the Kubernetes API. Tracing helps you debug performance issues across services, while audit logging helps you prove who did what in the control plane.

A trace might show that a payment request took 500ms because the database was slow. An audit log would show that a developer manually deleted a database connection secret, causing the slowdown.

Audit LoggingvsSyslog

Syslog is a standard protocol and system for sending log messages from various programs to a central collector. Audit logging is a specific type of log that focuses on security events. Syslog can be used to transport audit logs, but syslog itself is not an audit log; it is just a transport mechanism. Kubernetes audit logs are often sent via syslog to a central server.

Syslog is like the postal service that delivers letters. The audit log is the content of the letter that describes a security incident.

Step-by-Step Breakdown

1

User Action Initiation

A user or automated service sends a request to the Kubernetes API server, typically via kubectl, the Kubernetes dashboard, or an application using the client-go library. The request includes details such as the HTTP method, the resource path, the request body, and authentication credentials (a bearer token or certificate).

2

Authentication and Authorization

The API server first authenticates the user (verifying who they are) and then authorizes the request (checking if they have permission to perform the action). These decisions are recorded in the audit log as part of the event. The user identity, groups, and the authorization decision (allow or deny) are all captured.

3

Audit Policy Evaluation

Before processing the request, the API server checks the audit policy to determine what level of detail to log for this particular request. The policy filters by user, group, resource, verb, and namespace. If the policy says to log this request at the Metadata level, only the request metadata (user, time, resource) is recorded. If it says Request or RequestResponse, the request body and response body are also captured.

4

Event Stage Selection

The audit log entry is written at a specific stage in the request lifecycle. The stage is defined in the audit policy or defaults to ResponseComplete. The available stages are RequestReceived (before processing), ResponseStarted (after headers are sent but before body), ResponseComplete (after full response is sent), and Panic (if the server crashes). Most logs are written at ResponseComplete to capture the full outcome.

5

Log Entry Construction

The API server constructs a structured JSON object containing all the relevant fields: kind (Event), apiVersion, level, stage, requestURI, verb, user (with username, UID, groups), sourceIPs, userAgent, objectRef (the resource type, name, namespace, apiGroup, apiVersion), requestObject, responseObject, and requestReceivedTimestamp. This object is serialized into JSON.

6

Log Output and Storage

The JSON log entry is written to the configured backend. For local file logging, the entry is appended to the file specified by --audit-log-path. For a webhook backend, the entry is sent as an HTTP POST request to the configured webhook URL. The backend must handle the log securely and ensure it is not lost. Log rotation is handled by the API server itself (for file backends) or by the external logging system.

7

Log Review and Analysis

Security analysts or automated SIEM systems consume the audit logs. They search for anomalies, such as a user accessing a namespace they have never touched before, or repeated authorization failures. The logs are indexed, stored for the required retention period, and eventually archived or deleted based on policy.

Practical Mini-Lesson

As a Kubernetes security professional, you need to think of audit logging as your first line of forensic defense. Start by enabling it on every control plane node. The classic command to check if audit logging is active is to look at the API server manifest: cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep audit. If you see no audit flags, you need to add them.

When you write an audit policy, start with a conservative policy that logs everything at the Metadata level, then gradually add exceptions for sensitive resources. A practical initial policy might look like this: log all RBAC operations at the Request level so you can see permission changes, log all Secret and ConfigMap operations at the RequestResponse level, and log everything else at Metadata. This gives you good coverage without overwhelming your storage with request bodies for thousands of pod listings.

Remember that the audit policy is a whitelist-based system. If you do not explicitly define a rule for a resource, it falls through to the final default rule. Always include a default rule at the end of your policy with the desired fallback level. For example, a default of Metadata is safer than a default of None, because you will at least know that a request occurred.

In production, never store audit logs only on the control plane node. Use a log shipper like fluentd, vector, or filebeat to forward logs to a centralized platform. This ensures that even if the control plane is destroyed, your logs survive. Also, set up alerts on the centralized platform for critical events, such as deletion of network policies, creation of privileged pods, or changes to cluster roles and cluster role bindings.

A common real-world problem is storage space. Audit logs can grow at gigabytes per day in large clusters. Use a log retention policy that balances compliance needs with storage costs. Typically, retain detailed logs for 90 days and store aggregated summaries for longer. For compliance purposes, you may need to store audit logs for up to seven years, but those can be archived to object storage and queried only when needed.

Another practical tip: protect the audit log file itself. Set file permissions so that only the API server process (and trusted administrators) can read it. Encrypt the volume where the logs are stored. If the log contains sensitive data (like secret contents from RequestResponse level), you might need to redact or mask that data before sending it to a third-party SIEM. Some organizations use a proxy that scrubs sensitive fields from audit logs before they leave the cluster.

Finally, test your audit configuration regularly. Generate a known action, like creating a test secret, and verify that it appears in the audit log with the expected detail. Automate this test to run after every cluster upgrade or configuration change. This simple practice can prevent silent failures where audit logging stops working and nobody notices until an incident occurs.

Memory Tip

Remember the four audit levels with the phrase: "No More Requests RequestResponse" — None, Metadata, Request, RequestResponse. As you go from left to right, you capture more detail. For the exam, always choose the least verbosity that still gives you the information you need.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Is audit logging enabled by default in Kubernetes?

No, audit logging is not enabled by default. You must explicitly configure it by adding flags to the kube-apiserver manifest file and providing an audit policy YAML file. Without this configuration, no audit logs are produced.

What is the difference between audit logging and kubectl logs?

Audit logging records all requests to the Kubernetes API server, including who made them and what resources were affected. kubectl logs, on the other hand, shows the output from a specific container's stdout and stderr streams. They serve entirely different purposes.

Can audit logs be tampered with?

Yes, if an attacker gains root access to the control plane node, they can modify or delete the log files. To prevent this, store logs on a separate, immutable volume, forward them to an external system immediately, and use file integrity monitoring to detect changes.

Which audit level should I use for secrets?

Use the RequestResponse level for secrets if you need to see which secret was accessed and what data was returned. However, be aware that this will store sensitive data in the log file, which must be protected accordingly. For most purposes, Request level is sufficient to see that a specific secret was read.

How can I audit changes to RBAC permissions?

Create an audit policy rule that matches resources in the rbac.authorization.k8s.io API group, such as roles, clusterroles, rolebindings, and clusterrolebindings. Log these at the Request level so you can see the exact permissions being granted or revoked.

What happens if my audit log file fills up the disk?

The Kubernetes API server may stop responding to requests or crash. Always configure log rotation with --audit-log-maxsize (maximum size per file) and --audit-log-maxbackup (number of old files to keep). Monitor disk usage and set up alerts.

Do I need audit logging for a single-node development cluster?

It is not strictly necessary, but it is a good practice. Even in development, audit logs can help you understand why a change broke something. For the CKS exam, you must know how to configure it regardless of cluster size.

Summary

Audit logging is the systematic recording of all security-relevant actions that occur within a system, providing an unalterable chronological trail of who did what and when. In Kubernetes, audit logs are generated by the API server and can be configured with fine-grained policies that control the level of detail captured for different resources and users. The four audit levels None, Metadata, Request, and RequestResponse allow you to balance visibility against storage and performance costs.

Audit logs are essential for security incident investigation, compliance with regulations like PCI DSS and HIPAA, and operational troubleshooting. For the CKS exam, you must be able to enable audit logging, write audit policy files, interpret log entries, and integrate logs with external backends. Common mistakes include logging at too low a level for sensitive resources, failing to protect the log files themselves, and not monitoring the logs regularly.

Remember that audit logging is not a set-and-forget activity; it requires ongoing maintenance, testing, and integration with your broader security monitoring infrastructure. When used correctly, audit logs give you the visibility and accountability needed to secure a modern cloud-native environment.