SlideShare a Scribd company logo

Making the most out of kubernetes audit logs

Laurent Bernaille, profile picture
Laurent Bernaille

The document provides an overview of managing Kubernetes audit logs, detailing the complexity of interactions within a Kubernetes cluster as it grows. It outlines the various components involved, how to configure and interpret audit logs, and the significant amount of information generated from user operations. It emphasizes the importance of understanding audit logs for troubleshooting and monitoring activities within Kubernetes environments.

Technology
1 of 93
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
Making the most out of kubernetes audit logs
Robert Boll @roboll_ Laurent Bernaille @lbernail Making the Most Out of Kubernetes Audit Logs
@lbernail @roboll_ Datadog Monitoring service Over 350 integrations Over 1,200 employees Over 8,000 customers Runs on millions of hosts Trillions of data points per day 10000s hosts in our infra 10s of Kubernetes clusters Clusters from 50 to 3000 nodes Multi-cloud Very fast growth
@lbernail @roboll_ Understanding what happens can be hard
@lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
@lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
Background: The Kubernetes API
@lbernail @roboll_ apiserver etcd Calls to the apiservers
@lbernail @roboll_ apiserver etcd controllers scheduler Control plane
@lbernail @roboll_ apiserver etcd kubelet controllers scheduler Kubelet
@lbernail @roboll_ apiserver etcd kubelet controllers scheduler kube-proxy DaemonSet: kube-proxy
@lbernail @roboll_ apiserver etcd kubelet controllers scheduler kube-proxy other node apps Other DaemonSets (cni, etc.)
@lbernail @roboll_ apiserver etcd kubelet controllers scheduler kube-proxy coredns other node apps Cluster services: DNS
@lbernail @roboll_ apiserver etcd kubelet controllers scheduler kube-proxy cluster- autoscaler ingress controllers coredns other node apps Other cluster services
@lbernail @roboll_ apiserver etcd kubelet controllers scheduler kube-proxy cluster- autoscaler ingress controllers other apps coredns other node apps Probably several other applications
@lbernail @roboll_ And users, of course apiserver etcd kubelet controllers scheduler kubectl kube-proxy cluster- autoscaler ingress controllers other apps coredns other node apps
@lbernail @roboll_ And, surprise, the apiserver itself apiserver etcd kubelet controllers scheduler kubectl kube-proxy cluster- autoscaler ingress controllers other apps coredns other node apps
@lbernail @roboll_ What happens when you kubectl? $ kubectl get pod echodeploy-77cf5c6f6-brj76 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76
@lbernail @roboll_ Let’s look at details $ kubectl get pod echodeploy-77cf5c6f6-brj76 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76 apiserver api version namespace resource type resource name
@lbernail @roboll_ A few more GET examples $ kubectl get pod echodeploy-77cf5c6f6-brj76 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76 $ kubectl get pods [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?limit=500 List (paginated)
@lbernail @roboll_ A few more GET examples $ kubectl get pod echodeploy-77cf5c6f6-brj76 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76 $ kubectl get pods [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?limit=500 $ kubectl get pods --watch=true -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?limit=500 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?resourceVersion=282725545&watch=true List & Watch
@lbernail @roboll_ Describe resource kubectl describe pod echodeploy-77cf5c6f6-5wmw9 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wmw9 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/events? fieldSelector=involvedObject.name=echodeploy-77cf5c6f6-5wmw9, involvedObject.namespace=datadog, involvedObject.uid=770b3a5e-0631-11ea-bc60-12d7306f3c0c [...] ResponseBody { "kind": "EventList", "items": [ { "involvedObject": { "kind": "Pod", "namespace": "datadog", "name": "echodeploy-77cf5c6f6-5wmw9"}, "reason": "Scheduled", "message": "Successfully assigned echodeploy-77cf5c6f6-5wmw9 to ip-10-128-205-156.ec2.internal", "source": { "component": "default-scheduler" }, } ] }
@lbernail @roboll_ Describe resource kubectl describe pod echodeploy-77cf5c6f6-5wmw9 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wmw9 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/events? fieldSelector=involvedObject.name=echodeploy-77cf5c6f6-5wmw9, involvedObject.namespace=datadog, involvedObject.uid=770b3a5e-0631-11ea-bc60-12d7306f3c0c [...] ResponseBody { "kind": "EventList", "items": [ { "involvedObject": { "kind": "Pod", "namespace": "datadog", "name": "echodeploy-77cf5c6f6-5wmw9"}, "reason": "Scheduled", "message": "Successfully assigned echodeploy-77cf5c6f6-5wmw9 to ip-10-128-205-156.ec2.internal", "source": { "component": "default-scheduler" }, } ] } Get resource
@lbernail @roboll_ Describe resource kubectl describe pod echodeploy-77cf5c6f6-5wmw9 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wmw9 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/events? fieldSelector=involvedObject.name=echodeploy-77cf5c6f6-5wmw9, involvedObject.namespace=datadog, involvedObject.uid=770b3a5e-0631-11ea-bc60-12d7306f3c0c [...] ResponseBody { "kind": "EventList", "items": [ { "involvedObject": { "kind": "Pod", "namespace": "datadog", "name": "echodeploy-77cf5c6f6-5wmw9"}, "reason": "Scheduled", "message": "Successfully assigned echodeploy-77cf5c6f6-5wmw9 to ip-10-128-205-156.ec2.internal", "source": { "component": "default-scheduler" }, } ] } Get resource Get events associated with resource
@lbernail @roboll_ A few other examples $ kubectl delete pod echodeploy-77cf5c6f6-brj76 -v=8 [...] DELETE https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?fieldSelector=metadata.name%3Dechodeploy-77cf5c6f6-brj76 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?fieldSelector=metadata.name%3Dechodeploy-77cf5c6f6-brj76& resourceVersion=282733788&watch=true Delete + List & Watch
@lbernail @roboll_ A few other examples $ kubectl delete pod echodeploy-77cf5c6f6-brj76 -v=8 [...] DELETE https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?fieldSelector=metadata.name%3Dechodeploy-77cf5c6f6-brj76 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?fieldSelector=metadata.name%3Dechodeploy-77cf5c6f6-brj76& resourceVersion=282733788&watch=true $ kubectl create deployment test --image=busybox -v=8 Request Body: {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"creationTimestamp":null,"labels":{"app":"test"},"name":"test"},"spec":{"replicas":1,"s elector":{"matchLabels":{"app":"test"}},"strategy":{},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"test"}},"spec":{"container s":[{"image":"busybox","name":"busybox","resources":{}}]}}},"status":{}} POST https://kubernetes.fury.us1.staging.dog/apis/apps/v1/namespaces/datadog/deployments Minimal deployment spec POST call
@lbernail @roboll_ A few other examples $ kubectl delete pod echodeploy-77cf5c6f6-brj76 -v=8 [...] DELETE https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?fieldSelector=metadata.name%3Dechodeploy-77cf5c6f6-brj76 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?fieldSelector=metadata.name%3Dechodeploy-77cf5c6f6-brj76& resourceVersion=282733788&watch=true $ kubectl create deployment test --image=busybox -v=8 Request Body: {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"creationTimestamp":null,"labels":{"app":"test"},"name":"test"},"spec":{"replicas":1,"s elector":{"matchLabels":{"app":"test"}},"strategy":{},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"test"}},"spec":{"container s":[{"image":"busybox","name":"busybox","resources":{}}]}}},"status":{}} POST https://kubernetes.fury.us1.staging.dog/apis/apps/v1/namespaces/datadog/deployments $ kubectl scale deploy test --replicas=2 -v=8 GET https://kubernetes.fury.us1.staging.dog/apis/extensions/v1beta1/namespaces/datadog/deployments/test Request Body: {"spec":{"replicas":2}} PATCH https://kubernetes.fury.us1.staging.dog/apis/extensions/v1beta1/namespaces/datadog/deployments/test/scale GET current PATCH body +call
@lbernail @roboll_ Takeaways ● A lot of components are making calls ○ Control plane: controllers, scheduler ○ Node daemons: kubelet, kube-proxy ○ Other controllers: autoscaler, ingress ● “Simple” user ops translate to many API calls How can we understand what is going on?
@lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
Audit Logs
@lbernail @roboll_ What are Audit Logs? â—Ź Rich Structured json logs output by the apiserver â—Ź Configurable Verbosity for each resource â—Ź Logging can happen at different processing stages apiserverclient 1 3 2: Request processing 1: Apiserver receives request, Stage: RequestReceived 2: Apiserver processes request 3: Apiserver answers, Stage: ResponseComplete/ResponseStarted
@lbernail @roboll_ Content of Audit Logs â—Ź What happened? â—Ź Who initiated it? â—Ź Why was it authorized? â—Ź When did it happen? â—Ź From where? â—Ź Depending on verbosity, Request/Response
@lbernail @roboll_ GET example from earlier Structured JSON log A lot of information $ kubectl get pod echodeploy-77cf5c6f6-5wmw9 -v=8 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wamw9
@lbernail @roboll_ What happened? $ kubectl get pod echodeploy-77cf5c6f6-5wmw9 -v=8 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wmw9
@lbernail @roboll_ Who initiated it? User was laurent.bernaille@datadoghq.com and mapped to groups - datadoghq.com - system:authenticated $ kubectl get pod echodeploy-77cf5c6f6-5wmw9 -v=8 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wamw9
@lbernail @roboll_ Why was it authorized? It was authorized because group datadoghq.com is bound to role datadoghq:cluster-user by ClusterRoleBinding datadoghq:cluster-admin-binding (and this role has the required permissions) $ kubectl get pod echodeploy-77cf5c6f6-5wmw9 -v=8 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wamw9
@lbernail @roboll_ When, and from where? Request received at 20:33:26.757 Response completed at 20:33:26:771 Duration: 14ms From IP: 10.X.Y.74 $ kubectl get pod echodeploy-77cf5c6f6-5wmw9 -v=8 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wamw9
@lbernail @roboll_ Another GET call $ kubectl get pods -v=8 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?limit=500 GET is mapped to different verbs (get/list)
@lbernail @roboll_ Watches $ kubectl get pods -v=8 -w GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?limit=500 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?resourceVersion=288656279&watch=true Call 1 : list stage: ResponseComplete Call 2 : watch get + watch parameters 136ms later stage: ResponseStarted
@lbernail @roboll_ Create call $ kubectl create deployment test --image=busybox -v=8 POST https://kubernetes.fury.us1.staging.dog/apis/apps/v1/namespaces/datadog/deployments
@lbernail @roboll_ Create call $ kubectl create deployment test --image=busybox -v=8 POST https://kubernetes.fury.us1.staging.dog/apis/apps/v1/namespaces/datadog/deployments
@lbernail @roboll_ Takeaways Audit logs contain information on all API calls â—Ź What happened? â—Ź Who initiated it? â—Ź Why was it authorized? â—Ź When did it happen? â—Ź From where? â—Ź Depending on verbosity, Request/Response OK, how do I get them?
@lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
Configuring Audit Logs
@lbernail @roboll_ Apiserver configuration kube-apiserver [...] --audit-log-path=/var/log/kubernetes/apiserver/audit.log --audit-policy-file=/etc/kubernetes/audit-policies/policy.yaml [...] Where to store them What to collect Minimum configuration Advanced â—Ź Rotation parameters (max size, backup options) â—Ź Alternative backend (webhook) â—Ź Batching mode
@lbernail @roboll_ apiVersion: audit.k8s.io/v1 kind: Policy rules: # Log pod changes at RequestResponse level - level: RequestResponse omitStages: - "RequestReceived" resources: - group: "" # core API group resources: ["pods"] verbs: ["create", "patch"”, "update", "delete"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata omitStages: - "RequestReceived" resources: - group: "" resources: ["pods/log", "pods/status"] Set of rules Audit policy: what to log?
@lbernail @roboll_ apiVersion: audit.k8s.io/v1 kind: Policy rules: # Log pod changes at RequestResponse level - level: RequestResponse omitStages: - "RequestReceived" resources: - group: "" # core API group resources: ["pods"] verbs: ["create", "patch"”, "update", "delete"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata omitStages: - "RequestReceived" resources: - group: "" resources: ["pods/log", "pods/status"] Rules match api call ● api group / version ● resource ● verbs > Similar to RBAC Audit policy: what to log?
@lbernail @roboll_ apiVersion: audit.k8s.io/v1 kind: Policy rules: # Log pod changes at RequestResponse level - level: RequestResponse omitStages: - "RequestReceived" resources: - group: "" # core API group resources: ["pods"] verbs: ["create", "patch"”, "update", "delete"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata omitStages: - "RequestReceived" resources: - group: "" resources: ["pods/log", "pods/status"] For matching API calls ● Which verbosity? ● When? (stage) Audit policy: when to log?
@lbernail @roboll_ apiVersion: audit.k8s.io/v1 kind: Policy rules: # Log pod changes at RequestResponse level - level: RequestResponse omitStages: - "RequestReceived" resources: - group: "" # core API group resources: ["pods"] verbs: ["create", "patch"”, "update", "delete"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata omitStages: - "RequestReceived" resources: - group: "" resources: ["pods/log", "pods/status"] Gotchas Rules are evaluated in order First matching rule sets level Request/RequestResponse > contain payload data Careful with security implications ex: tokenreviews calls group: “” means core API only Don’t forget to add ● 3rd party apiservices ● your apiservices
@lbernail @roboll_ Recommendations â—Ź Ignore RequestReceived stage â—Ź Use at least Metadata level for almost everything â—‹ Possibly ignore healthz, metrics â—Ź Use Request/Response level for critical resource/verbs â—‹ Very valuable for retroactive debugging â—‹ Careful for large/sensitive request/response bodies â—Ź Very complete example in GKE https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh â—Ź Documentation https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy
@lbernail @roboll_ Takeaways ● Getting audit logs is “simple”: 2 flags ● Getting policies right is harder ● You will get a lot of logs ● Requires a solution to analyze them Let’s look at an overview on a real large cluster
@lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
10000 foot view for a large cluster
@lbernail @roboll_ Total number of API calls ~900 calls/second on this 2500 nodes cluster Number of audit logs per hour
@lbernail @roboll_ Top API users? apiserver: 40 rps kube-proxy: 20 rps local-volume-provisioner:20 rps cronjob-controller: 15 rps spinnaker: 5-10 rps
@lbernail @roboll_ Top list, missing “small” users total: ~900rps Top 25: 150 rps 900 calls/second on this 2500 nodes cluster What is doing ~80% of API calls? Total number of API calls
@lbernail @roboll_ Grouping by users is not helping Calls from users in group “system:nodes”: 750 rps (~80% of API calls) In this 2500-nodes cluster, this means 0.3 rps per node! Calls by user group group=system:nodes
@lbernail @roboll_ Why is “system:nodes” so high? nodes: 500 rps configmaps: 75 rps secrets: 60 rps Calls from group “system:nodes” by resource targeted
@lbernail @roboll_ Verbs on “node” for a kubelet 10s Each node update its status every 10s
@lbernail @roboll_ Verbs on “configmaps” Only GETs Regularity but not clear pattern
@lbernail @roboll_ Group by resource name Each configmap is refreshed every ~5mn => GET call Similar for secrets ~5mn
@lbernail @roboll_ List latency by resource Latency for list by resource
@lbernail @roboll_ List latency by resource Latency for list by resource apiserver restarts
@lbernail @roboll_ Compare cluster performances Latency for get pod by cluster (ms) large clusters (1500+ nodes) smaller clusters (<700 nodes)
@lbernail @roboll_ Takeaways â—Ź Biggest users are the ones running on each node â—‹ kubelet, daemonsets (kube-proxy) â—‹ A lot of effort upstream to reduce their load â—‹ Be extra careful of damonsets doing API calls â—Ź Audit logs structure allow to filter and slice & dice â—Ź Audit logs are verbose (1000 logs/s in our example)
@lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
Understanding Kubernetes Internals
@lbernail @roboll_ Creating a simple deployment apiVersion: apps/v1 kind: Deployment metadata: name: nginx labels: app: nginx spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx
@lbernail @roboll_ Sequence User creates deploy deployment controller creates RS RS controller creates pods Scheduler bind pods Kubelets Update pod status
@lbernail @roboll_ Sequence Scheduler bind pods Scheduler callCreate Binding For nginx pod To node ip-10-x-y-123
@lbernail @roboll_ Actually a lot more node 1 node 2 RS controller Deploy ctrl Scheduler apiserver user Create of Deployment, RS, pods, binding + nodes accept Nodes create pods and generate events Pods are running Deployments/RS update status Additions Apiserver verifies Quotas Components also get/list Creation of events + Update of status fields Complete node workflow ~ 3s
@lbernail @roboll_ Node API calls Initial calls Get pod Update pod/status: ContainerCreating Get service account token
@lbernail @roboll_ Node API calls Create events to show progression MountVolume.SetUp succeeded for volume "default-token-dqmzw" pulling image "nginx" Successfully pulled image "nginx" Created container Started container
@lbernail @roboll_ Node API calls Finalize pod creation Get pod Update container status to “Running”
@lbernail @roboll_ Takeaways ● A lot of interactions between kube components ● Audit logs give a great understanding of this! ● Events are spiky and get generate a lot of logs ● Events have a 1h default TTL, but stay in audit logs Let’s identify some problems using audit logs
@lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
Troubleshooting examples
@lbernail @roboll_ Troubleshooting ● Understand what happened ○ “Why was a resource deleted?” ● Debug performance regressions/improve performances ○ “Which application is responsible for so many calls?” ● Also, identify issues by looking at HTTP status codes
@lbernail @roboll_ Status codes Calls by status code 200 201 401
@lbernail @roboll_ 4xx only 4xx by status code 401 403 404 422 409
@lbernail @roboll_ 4xx only 4xx by status code 401?? (Unauthorized)
@lbernail @roboll_ Analyzing 401s 401s by source IP 4 nodes only, turns out they had expired certificates
@lbernail @roboll_ 4xx only 4xx by status code 403?? (Forbidden)
@lbernail @roboll_ Analyzing 403s 403s by user Most errors from Traefik serviceAccount Bad RBAC configuration?
@lbernail @roboll_ Analyzing 403s for this user 403s for Traefik serviceAccount by resource We use Traefik without Kubernetes secrets but it still tries to list them
@lbernail @roboll_ 4xx only 4xx by status code 422?? (Invalid)
@lbernail @roboll_ What about 422? 422 by user kube-system:generic-garbage-collector => ??
@lbernail @roboll_ What is failing? generic-garbage-collector by verb / resource patch on pod
@lbernail @roboll_ What is happening? ● Pods are in “Evicted” status and must be kept ● Controlling RS has been deleted and pods should be orphaned ● Garbage collector fails to orphan them (remove ownerRef) ● ReplicaSet has been Terminating for 2 months... ● Root cause: mutating webhook ○ We modify the pod spec at creation ○ Mutating webhook is registered on pods for CREATE/UPDATE ○ We modify immutable fields ○ Garbage collector patch triggers this...
@lbernail @roboll_ Takeaways ● Looking at calls triggering HTTP errors help find issues ○ Misconfigured RBAC (403) ○ Applications doing calls they shouldn’t (403) ○ Expired certificates (401) ○ Other weird things
Conclusion
@lbernail @roboll_ Conclusion â—Ź Audit logs can be incredibly valuable â—‹ Low-level understanding of Kubernetes â—‹ Detection of misconfigurations â—‹ Troubleshooting of issues â—‹ Identify performance issues â—Ź Taking advantage of them require some effort â—‹ Policies are not easy to get right â—‹ They are verbose and require a tool to analyze them
Thank you We’re hiring! Visit our Kubecon booth or https://www.datadoghq.com/careers/ Or contact us directly: @lbernail laurent@datadoghq.com @roboll_ roboll@datadoghq.com

More Related Content

PPTX
Secret Management with Hashicorp Vault and Consul on Kubernetes
An Nguyen
 
PPTX
Observability
Enes Altınok
 
PDF
Coffee Break NeuVector
SUSE
 
PDF
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
PDF
The Sysdig Secure DevOps Platform
Ashnikbiz
 
PDF
Rancher 2.0 Technical Deep Dive
LINE Corporation
 
PPTX
DEVSECOPS.pptx
MohammadSaif904342
 
PDF
Secret Management with Hashicorp’s Vault
AWS Germany
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
An Nguyen
 
Observability
Enes Altınok
 
Coffee Break NeuVector
SUSE
 
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
The Sysdig Secure DevOps Platform
Ashnikbiz
 
Rancher 2.0 Technical Deep Dive
LINE Corporation
 
DEVSECOPS.pptx
MohammadSaif904342
 
Secret Management with Hashicorp’s Vault
AWS Germany
 

What's hot (20)

PPTX
DevOps Monitoring and Alerting
Khairul Zebua
 
PDF
Introduction to DevSecOps
Setu Parimi
 
PPTX
Nagios intro
Hsi-Kai Wang
 
PDF
Kubernetes security
Thomas Fricke
 
PDF
Improve monitoring and observability for kubernetes with oss tools
Nilesh Gule
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
PPSX
Service Mesh - Observability
Araf Karsh Hamid
 
PDF
Open Policy Agent
Torin Sandall
 
PPTX
Kubernetes and container security
Volodymyr Shynkar
 
PDF
Scaling containers with KEDA
Nilesh Gule
 
PPTX
Rtf v2 ingress muleSoft meetup self managed kubernetes
Sandeep Deshmukh
 
PDF
Opa gatekeeper
Rita Zhang
 
PDF
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
PPTX
Azure Container Apps
Ken Sykora
 
PPTX
Understanding container security
John Kinsella
 
PDF
Power Platform ALM with DevOps
Christopher R. Barber
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
PDF
Istio service mesh introduction
Kyohei Mizumoto
 
PDF
Container Security Essentials
DNIF
 
PDF
OpenShift 4, the smarter Kubernetes platform
Kangaroot
 
DevOps Monitoring and Alerting
Khairul Zebua
 
Introduction to DevSecOps
Setu Parimi
 
Nagios intro
Hsi-Kai Wang
 
Kubernetes security
Thomas Fricke
 
Improve monitoring and observability for kubernetes with oss tools
Nilesh Gule
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Service Mesh - Observability
Araf Karsh Hamid
 
Open Policy Agent
Torin Sandall
 
Kubernetes and container security
Volodymyr Shynkar
 
Scaling containers with KEDA
Nilesh Gule
 
Rtf v2 ingress muleSoft meetup self managed kubernetes
Sandeep Deshmukh
 
Opa gatekeeper
Rita Zhang
 
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Azure Container Apps
Ken Sykora
 
Understanding container security
John Kinsella
 
Power Platform ALM with DevOps
Christopher R. Barber
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
Istio service mesh introduction
Kyohei Mizumoto
 
Container Security Essentials
DNIF
 
OpenShift 4, the smarter Kubernetes platform
Kangaroot
 
Ad

Similar to Making the most out of kubernetes audit logs (20)

PPTX
Building Your Own IoT Platform using FIWARE GEis
FIWARE
 
PPT
FIWARE IoT Proposal & Community
FIWARE
 
PPTX
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic
Rakuten Group, Inc.
 
PPTX
New and smart way to develop microservice for istio with micro profile
Emily Jiang
 
PDF
Advanced #2 networking
Vitali Pekelis
 
PDF
apidays Paris 2022 - France Televisions : How we leverage API Platform for ou...
apidays
 
PDF
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
Puppet
 
PDF
Mashing Up The Guardian
Michael Brunton-Spall
 
PDF
Kubernetes - Sailing a Sea of Containers
Kel Cecil
 
PDF
CI Provisioning with OpenStack - Gidi Samuels - OpenStack Day Israel 2016
Cloud Native Day Tel Aviv
 
PDF
FrenchKit 2017: Server(less) Swift
Chris Bailey
 
PDF
OpenStack API's and WSGI
Mike Pittaro
 
PDF
NSA for Enterprises Log Analysis Use Cases
WSO2
 
PDF
Mashing Up The Guardian
Michael Brunton-Spall
 
PDF
JDD2015: Kubernetes - Beyond the basics - Paul Bakker
PROIDEA
 
PDF
What's Rio 〜Standalone〜
cyberblack28 Ichikawa
 
PPTX
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
Emily Jiang
 
PPTX
What is serveless?
Provectus
 
PPTX
OSDN: Serverless technologies with Kubernetes
Provectus
 
PDF
Performance Tuning Your Puppet Infrastructure - PuppetConf 2014
Puppet
 
Building Your Own IoT Platform using FIWARE GEis
FIWARE
 
FIWARE IoT Proposal & Community
FIWARE
 
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic
Rakuten Group, Inc.
 
New and smart way to develop microservice for istio with micro profile
Emily Jiang
 
Advanced #2 networking
Vitali Pekelis
 
apidays Paris 2022 - France Televisions : How we leverage API Platform for ou...
apidays
 
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
Puppet
 
Mashing Up The Guardian
Michael Brunton-Spall
 
Kubernetes - Sailing a Sea of Containers
Kel Cecil
 
CI Provisioning with OpenStack - Gidi Samuels - OpenStack Day Israel 2016
Cloud Native Day Tel Aviv
 
FrenchKit 2017: Server(less) Swift
Chris Bailey
 
OpenStack API's and WSGI
Mike Pittaro
 
NSA for Enterprises Log Analysis Use Cases
WSO2
 
Mashing Up The Guardian
Michael Brunton-Spall
 
JDD2015: Kubernetes - Beyond the basics - Paul Bakker
PROIDEA
 
What's Rio 〜Standalone〜
cyberblack28 Ichikawa
 
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
Emily Jiang
 
What is serveless?
Provectus
 
OSDN: Serverless technologies with Kubernetes
Provectus
 
Performance Tuning Your Puppet Infrastructure - PuppetConf 2014
Puppet
 
Ad

More from Laurent Bernaille (17)

PDF
How the OOM Killer Deleted My Namespace
Laurent Bernaille
 
PDF
Kubernetes DNS Horror Stories
Laurent Bernaille
 
PDF
Evolution of kube-proxy (Brussels, Fosdem 2020)
Laurent Bernaille
 
PDF
Kubernetes the Very Hard Way. Velocity Berlin 2019
Laurent Bernaille
 
PDF
Kubernetes the Very Hard Way. Lisa Portland 2019
Laurent Bernaille
 
PDF
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...
Laurent Bernaille
 
PDF
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!
Laurent Bernaille
 
PDF
Optimizing kubernetes networking
Laurent Bernaille
 
PDF
Kubernetes at Datadog the very hard way
Laurent Bernaille
 
PPTX
Deep Dive in Docker Overlay Networks
Laurent Bernaille
 
PPTX
Deeper dive in Docker Overlay Networks
Laurent Bernaille
 
PPTX
Discovering OpenBSD on AWS
Laurent Bernaille
 
PPTX
Operational challenges behind Serverless architectures
Laurent Bernaille
 
PPTX
Deep dive in Docker Overlay Networks
Laurent Bernaille
 
PDF
Feedback on AWS re:invent 2016
Laurent Bernaille
 
PDF
Early recognition of encryted applications
Laurent Bernaille
 
PDF
Early application identification. CONEXT 2006
Laurent Bernaille
 
How the OOM Killer Deleted My Namespace
Laurent Bernaille
 
Kubernetes DNS Horror Stories
Laurent Bernaille
 
Evolution of kube-proxy (Brussels, Fosdem 2020)
Laurent Bernaille
 
Kubernetes the Very Hard Way. Velocity Berlin 2019
Laurent Bernaille
 
Kubernetes the Very Hard Way. Lisa Portland 2019
Laurent Bernaille
 
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...
Laurent Bernaille
 
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!
Laurent Bernaille
 
Optimizing kubernetes networking
Laurent Bernaille
 
Kubernetes at Datadog the very hard way
Laurent Bernaille
 
Deep Dive in Docker Overlay Networks
Laurent Bernaille
 
Deeper dive in Docker Overlay Networks
Laurent Bernaille
 
Discovering OpenBSD on AWS
Laurent Bernaille
 
Operational challenges behind Serverless architectures
Laurent Bernaille
 
Deep dive in Docker Overlay Networks
Laurent Bernaille
 
Feedback on AWS re:invent 2016
Laurent Bernaille
 
Early recognition of encryted applications
Laurent Bernaille
 
Early application identification. CONEXT 2006
Laurent Bernaille
 

Recently uploaded (20)

PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
KodekX | Application Modernization Development
KodekX
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Teaching material agriculture food technology
LiaRayya
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 

Making the most out of kubernetes audit logs

  • 2. Robert Boll @roboll_ Laurent Bernaille @lbernail Making the Most Out of Kubernetes Audit Logs
  • 3. @lbernail @roboll_ Datadog Monitoring service Over 350 integrations Over 1,200 employees Over 8,000 customers Runs on millions of hosts Trillions of data points per day 10000s hosts in our infra 10s of Kubernetes clusters Clusters from 50 to 3000 nodes Multi-cloud Very fast growth
  • 5. @lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
  • 6. @lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
  • 11. @lbernail @roboll_ apiserver etcd kubelet controllers scheduler kube-proxy DaemonSet: kube-proxy
  • 12. @lbernail @roboll_ apiserver etcd kubelet controllers scheduler kube-proxy other node apps Other DaemonSets (cni, etc.)
  • 13. @lbernail @roboll_ apiserver etcd kubelet controllers scheduler kube-proxy coredns other node apps Cluster services: DNS
  • 14. @lbernail @roboll_ apiserver etcd kubelet controllers scheduler kube-proxy cluster- autoscaler ingress controllers coredns other node apps Other cluster services
  • 15. @lbernail @roboll_ apiserver etcd kubelet controllers scheduler kube-proxy cluster- autoscaler ingress controllers other apps coredns other node apps Probably several other applications
  • 16. @lbernail @roboll_ And users, of course apiserver etcd kubelet controllers scheduler kubectl kube-proxy cluster- autoscaler ingress controllers other apps coredns other node apps
  • 17. @lbernail @roboll_ And, surprise, the apiserver itself apiserver etcd kubelet controllers scheduler kubectl kube-proxy cluster- autoscaler ingress controllers other apps coredns other node apps
  • 18. @lbernail @roboll_ What happens when you kubectl? $ kubectl get pod echodeploy-77cf5c6f6-brj76 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76
  • 19. @lbernail @roboll_ Let’s look at details $ kubectl get pod echodeploy-77cf5c6f6-brj76 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76 apiserver api version namespace resource type resource name
  • 20. @lbernail @roboll_ A few more GET examples $ kubectl get pod echodeploy-77cf5c6f6-brj76 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76 $ kubectl get pods [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?limit=500 List (paginated)
  • 21. @lbernail @roboll_ A few more GET examples $ kubectl get pod echodeploy-77cf5c6f6-brj76 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76 $ kubectl get pods [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?limit=500 $ kubectl get pods --watch=true -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?limit=500 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?resourceVersion=282725545&watch=true List & Watch
  • 22. @lbernail @roboll_ Describe resource kubectl describe pod echodeploy-77cf5c6f6-5wmw9 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wmw9 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/events? fieldSelector=involvedObject.name=echodeploy-77cf5c6f6-5wmw9, involvedObject.namespace=datadog, involvedObject.uid=770b3a5e-0631-11ea-bc60-12d7306f3c0c [...] ResponseBody { "kind": "EventList", "items": [ { "involvedObject": { "kind": "Pod", "namespace": "datadog", "name": "echodeploy-77cf5c6f6-5wmw9"}, "reason": "Scheduled", "message": "Successfully assigned echodeploy-77cf5c6f6-5wmw9 to ip-10-128-205-156.ec2.internal", "source": { "component": "default-scheduler" }, } ] }
  • 23. @lbernail @roboll_ Describe resource kubectl describe pod echodeploy-77cf5c6f6-5wmw9 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wmw9 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/events? fieldSelector=involvedObject.name=echodeploy-77cf5c6f6-5wmw9, involvedObject.namespace=datadog, involvedObject.uid=770b3a5e-0631-11ea-bc60-12d7306f3c0c [...] ResponseBody { "kind": "EventList", "items": [ { "involvedObject": { "kind": "Pod", "namespace": "datadog", "name": "echodeploy-77cf5c6f6-5wmw9"}, "reason": "Scheduled", "message": "Successfully assigned echodeploy-77cf5c6f6-5wmw9 to ip-10-128-205-156.ec2.internal", "source": { "component": "default-scheduler" }, } ] } Get resource
  • 24. @lbernail @roboll_ Describe resource kubectl describe pod echodeploy-77cf5c6f6-5wmw9 -v=8 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wmw9 [...] GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/events? fieldSelector=involvedObject.name=echodeploy-77cf5c6f6-5wmw9, involvedObject.namespace=datadog, involvedObject.uid=770b3a5e-0631-11ea-bc60-12d7306f3c0c [...] ResponseBody { "kind": "EventList", "items": [ { "involvedObject": { "kind": "Pod", "namespace": "datadog", "name": "echodeploy-77cf5c6f6-5wmw9"}, "reason": "Scheduled", "message": "Successfully assigned echodeploy-77cf5c6f6-5wmw9 to ip-10-128-205-156.ec2.internal", "source": { "component": "default-scheduler" }, } ] } Get resource Get events associated with resource
  • 25. @lbernail @roboll_ A few other examples $ kubectl delete pod echodeploy-77cf5c6f6-brj76 -v=8 [...] DELETE https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?fieldSelector=metadata.name%3Dechodeploy-77cf5c6f6-brj76 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?fieldSelector=metadata.name%3Dechodeploy-77cf5c6f6-brj76& resourceVersion=282733788&watch=true Delete + List & Watch
  • 26. @lbernail @roboll_ A few other examples $ kubectl delete pod echodeploy-77cf5c6f6-brj76 -v=8 [...] DELETE https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?fieldSelector=metadata.name%3Dechodeploy-77cf5c6f6-brj76 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?fieldSelector=metadata.name%3Dechodeploy-77cf5c6f6-brj76& resourceVersion=282733788&watch=true $ kubectl create deployment test --image=busybox -v=8 Request Body: {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"creationTimestamp":null,"labels":{"app":"test"},"name":"test"},"spec":{"replicas":1,"s elector":{"matchLabels":{"app":"test"}},"strategy":{},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"test"}},"spec":{"container s":[{"image":"busybox","name":"busybox","resources":{}}]}}},"status":{}} POST https://kubernetes.fury.us1.staging.dog/apis/apps/v1/namespaces/datadog/deployments Minimal deployment spec POST call
  • 27. @lbernail @roboll_ A few other examples $ kubectl delete pod echodeploy-77cf5c6f6-brj76 -v=8 [...] DELETE https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-brj76 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?fieldSelector=metadata.name%3Dechodeploy-77cf5c6f6-brj76 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?fieldSelector=metadata.name%3Dechodeploy-77cf5c6f6-brj76& resourceVersion=282733788&watch=true $ kubectl create deployment test --image=busybox -v=8 Request Body: {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"creationTimestamp":null,"labels":{"app":"test"},"name":"test"},"spec":{"replicas":1,"s elector":{"matchLabels":{"app":"test"}},"strategy":{},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"test"}},"spec":{"container s":[{"image":"busybox","name":"busybox","resources":{}}]}}},"status":{}} POST https://kubernetes.fury.us1.staging.dog/apis/apps/v1/namespaces/datadog/deployments $ kubectl scale deploy test --replicas=2 -v=8 GET https://kubernetes.fury.us1.staging.dog/apis/extensions/v1beta1/namespaces/datadog/deployments/test Request Body: {"spec":{"replicas":2}} PATCH https://kubernetes.fury.us1.staging.dog/apis/extensions/v1beta1/namespaces/datadog/deployments/test/scale GET current PATCH body +call
  • 28. @lbernail @roboll_ Takeaways â—Ź A lot of components are making calls â—‹ Control plane: controllers, scheduler â—‹ Node daemons: kubelet, kube-proxy â—‹ Other controllers: autoscaler, ingress â—Ź “Simple” user ops translate to many API calls How can we understand what is going on?
  • 29. @lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
  • 31. @lbernail @roboll_ What are Audit Logs? â—Ź Rich Structured json logs output by the apiserver â—Ź Configurable Verbosity for each resource â—Ź Logging can happen at different processing stages apiserverclient 1 3 2: Request processing 1: Apiserver receives request, Stage: RequestReceived 2: Apiserver processes request 3: Apiserver answers, Stage: ResponseComplete/ResponseStarted
  • 32. @lbernail @roboll_ Content of Audit Logs â—Ź What happened? â—Ź Who initiated it? â—Ź Why was it authorized? â—Ź When did it happen? â—Ź From where? â—Ź Depending on verbosity, Request/Response
  • 33. @lbernail @roboll_ GET example from earlier Structured JSON log A lot of information $ kubectl get pod echodeploy-77cf5c6f6-5wmw9 -v=8 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wamw9
  • 34. @lbernail @roboll_ What happened? $ kubectl get pod echodeploy-77cf5c6f6-5wmw9 -v=8 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wmw9
  • 35. @lbernail @roboll_ Who initiated it? User was laurent.bernaille@datadoghq.com and mapped to groups - datadoghq.com - system:authenticated $ kubectl get pod echodeploy-77cf5c6f6-5wmw9 -v=8 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wamw9
  • 36. @lbernail @roboll_ Why was it authorized? It was authorized because group datadoghq.com is bound to role datadoghq:cluster-user by ClusterRoleBinding datadoghq:cluster-admin-binding (and this role has the required permissions) $ kubectl get pod echodeploy-77cf5c6f6-5wmw9 -v=8 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wamw9
  • 37. @lbernail @roboll_ When, and from where? Request received at 20:33:26.757 Response completed at 20:33:26:771 Duration: 14ms From IP: 10.X.Y.74 $ kubectl get pod echodeploy-77cf5c6f6-5wmw9 -v=8 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods/echodeploy-77cf5c6f6-5wamw9
  • 38. @lbernail @roboll_ Another GET call $ kubectl get pods -v=8 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?limit=500 GET is mapped to different verbs (get/list)
  • 39. @lbernail @roboll_ Watches $ kubectl get pods -v=8 -w GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?limit=500 GET https://kubernetes.fury.us1.staging.dog/api/v1/namespaces/datadog/pods?resourceVersion=288656279&watch=true Call 1 : list stage: ResponseComplete Call 2 : watch get + watch parameters 136ms later stage: ResponseStarted
  • 40. @lbernail @roboll_ Create call $ kubectl create deployment test --image=busybox -v=8 POST https://kubernetes.fury.us1.staging.dog/apis/apps/v1/namespaces/datadog/deployments
  • 41. @lbernail @roboll_ Create call $ kubectl create deployment test --image=busybox -v=8 POST https://kubernetes.fury.us1.staging.dog/apis/apps/v1/namespaces/datadog/deployments
  • 42. @lbernail @roboll_ Takeaways Audit logs contain information on all API calls â—Ź What happened? â—Ź Who initiated it? â—Ź Why was it authorized? â—Ź When did it happen? â—Ź From where? â—Ź Depending on verbosity, Request/Response OK, how do I get them?
  • 43. @lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
  • 45. @lbernail @roboll_ Apiserver configuration kube-apiserver [...] --audit-log-path=/var/log/kubernetes/apiserver/audit.log --audit-policy-file=/etc/kubernetes/audit-policies/policy.yaml [...] Where to store them What to collect Minimum configuration Advanced â—Ź Rotation parameters (max size, backup options) â—Ź Alternative backend (webhook) â—Ź Batching mode
  • 46. @lbernail @roboll_ apiVersion: audit.k8s.io/v1 kind: Policy rules: # Log pod changes at RequestResponse level - level: RequestResponse omitStages: - "RequestReceived" resources: - group: "" # core API group resources: ["pods"] verbs: ["create", "patch"”, "update", "delete"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata omitStages: - "RequestReceived" resources: - group: "" resources: ["pods/log", "pods/status"] Set of rules Audit policy: what to log?
  • 47. @lbernail @roboll_ apiVersion: audit.k8s.io/v1 kind: Policy rules: # Log pod changes at RequestResponse level - level: RequestResponse omitStages: - "RequestReceived" resources: - group: "" # core API group resources: ["pods"] verbs: ["create", "patch"”, "update", "delete"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata omitStages: - "RequestReceived" resources: - group: "" resources: ["pods/log", "pods/status"] Rules match api call â—Ź api group / version â—Ź resource â—Ź verbs > Similar to RBAC Audit policy: what to log?
  • 48. @lbernail @roboll_ apiVersion: audit.k8s.io/v1 kind: Policy rules: # Log pod changes at RequestResponse level - level: RequestResponse omitStages: - "RequestReceived" resources: - group: "" # core API group resources: ["pods"] verbs: ["create", "patch"”, "update", "delete"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata omitStages: - "RequestReceived" resources: - group: "" resources: ["pods/log", "pods/status"] For matching API calls â—Ź Which verbosity? â—Ź When? (stage) Audit policy: when to log?
  • 49. @lbernail @roboll_ apiVersion: audit.k8s.io/v1 kind: Policy rules: # Log pod changes at RequestResponse level - level: RequestResponse omitStages: - "RequestReceived" resources: - group: "" # core API group resources: ["pods"] verbs: ["create", "patch"”, "update", "delete"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata omitStages: - "RequestReceived" resources: - group: "" resources: ["pods/log", "pods/status"] Gotchas Rules are evaluated in order First matching rule sets level Request/RequestResponse > contain payload data Careful with security implications ex: tokenreviews calls group: “” means core API only Don’t forget to add â—Ź 3rd party apiservices â—Ź your apiservices
  • 50. @lbernail @roboll_ Recommendations â—Ź Ignore RequestReceived stage â—Ź Use at least Metadata level for almost everything â—‹ Possibly ignore healthz, metrics â—Ź Use Request/Response level for critical resource/verbs â—‹ Very valuable for retroactive debugging â—‹ Careful for large/sensitive request/response bodies â—Ź Very complete example in GKE https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh â—Ź Documentation https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy
  • 51. @lbernail @roboll_ Takeaways â—Ź Getting audit logs is “simple”: 2 flags â—Ź Getting policies right is harder â—Ź You will get a lot of logs â—Ź Requires a solution to analyze them Let’s look at an overview on a real large cluster
  • 52. @lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
  • 53. 10000 foot view for a large cluster
  • 54. @lbernail @roboll_ Total number of API calls ~900 calls/second on this 2500 nodes cluster Number of audit logs per hour
  • 55. @lbernail @roboll_ Top API users? apiserver: 40 rps kube-proxy: 20 rps local-volume-provisioner:20 rps cronjob-controller: 15 rps spinnaker: 5-10 rps
  • 56. @lbernail @roboll_ Top list, missing “small” users total: ~900rps Top 25: 150 rps 900 calls/second on this 2500 nodes cluster What is doing ~80% of API calls? Total number of API calls
  • 57. @lbernail @roboll_ Grouping by users is not helping Calls from users in group “system:nodes”: 750 rps (~80% of API calls) In this 2500-nodes cluster, this means 0.3 rps per node! Calls by user group group=system:nodes
  • 58. @lbernail @roboll_ Why is “system:nodes” so high? nodes: 500 rps configmaps: 75 rps secrets: 60 rps Calls from group “system:nodes” by resource targeted
  • 59. @lbernail @roboll_ Verbs on “node” for a kubelet 10s Each node update its status every 10s
  • 60. @lbernail @roboll_ Verbs on “configmaps” Only GETs Regularity but not clear pattern
  • 61. @lbernail @roboll_ Group by resource name Each configmap is refreshed every ~5mn => GET call Similar for secrets ~5mn
  • 62. @lbernail @roboll_ List latency by resource Latency for list by resource
  • 63. @lbernail @roboll_ List latency by resource Latency for list by resource apiserver restarts
  • 64. @lbernail @roboll_ Compare cluster performances Latency for get pod by cluster (ms) large clusters (1500+ nodes) smaller clusters (<700 nodes)
  • 65. @lbernail @roboll_ Takeaways â—Ź Biggest users are the ones running on each node â—‹ kubelet, daemonsets (kube-proxy) â—‹ A lot of effort upstream to reduce their load â—‹ Be extra careful of damonsets doing API calls â—Ź Audit logs structure allow to filter and slice & dice â—Ź Audit logs are verbose (1000 logs/s in our example)
  • 66. @lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
  • 68. @lbernail @roboll_ Creating a simple deployment apiVersion: apps/v1 kind: Deployment metadata: name: nginx labels: app: nginx spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx
  • 69. @lbernail @roboll_ Sequence User creates deploy deployment controller creates RS RS controller creates pods Scheduler bind pods Kubelets Update pod status
  • 70. @lbernail @roboll_ Sequence Scheduler bind pods Scheduler callCreate Binding For nginx pod To node ip-10-x-y-123
  • 71. @lbernail @roboll_ Actually a lot more node 1 node 2 RS controller Deploy ctrl Scheduler apiserver user Create of Deployment, RS, pods, binding + nodes accept Nodes create pods and generate events Pods are running Deployments/RS update status Additions Apiserver verifies Quotas Components also get/list Creation of events + Update of status fields Complete node workflow ~ 3s
  • 72. @lbernail @roboll_ Node API calls Initial calls Get pod Update pod/status: ContainerCreating Get service account token
  • 73. @lbernail @roboll_ Node API calls Create events to show progression MountVolume.SetUp succeeded for volume "default-token-dqmzw" pulling image "nginx" Successfully pulled image "nginx" Created container Started container
  • 74. @lbernail @roboll_ Node API calls Finalize pod creation Get pod Update container status to “Running”
  • 75. @lbernail @roboll_ Takeaways â—Ź A lot of interactions between kube components â—Ź Audit logs give a great understanding of this! â—Ź Events are spiky and get generate a lot of logs â—Ź Events have a 1h default TTL, but stay in audit logs Let’s identify some problems using audit logs
  • 76. @lbernail @roboll_ Outline 1. Background: The Kubernetes API 2. Audit Logs 3. Configuring Audit Logs 4. 10000 foot view for a large cluster 5. Understanding Kubernetes Internals 6. Troubleshooting examples
  • 78. @lbernail @roboll_ Troubleshooting â—Ź Understand what happened â—‹ “Why was a resource deleted?” â—Ź Debug performance regressions/improve performances â—‹ “Which application is responsible for so many calls?” â—Ź Also, identify issues by looking at HTTP status codes
  • 79. @lbernail @roboll_ Status codes Calls by status code 200 201 401
  • 80. @lbernail @roboll_ 4xx only 4xx by status code 401 403 404 422 409
  • 81. @lbernail @roboll_ 4xx only 4xx by status code 401?? (Unauthorized)
  • 82. @lbernail @roboll_ Analyzing 401s 401s by source IP 4 nodes only, turns out they had expired certificates
  • 83. @lbernail @roboll_ 4xx only 4xx by status code 403?? (Forbidden)
  • 84. @lbernail @roboll_ Analyzing 403s 403s by user Most errors from Traefik serviceAccount Bad RBAC configuration?
  • 85. @lbernail @roboll_ Analyzing 403s for this user 403s for Traefik serviceAccount by resource We use Traefik without Kubernetes secrets but it still tries to list them
  • 86. @lbernail @roboll_ 4xx only 4xx by status code 422?? (Invalid)
  • 87. @lbernail @roboll_ What about 422? 422 by user kube-system:generic-garbage-collector => ??
  • 88. @lbernail @roboll_ What is failing? generic-garbage-collector by verb / resource patch on pod
  • 89. @lbernail @roboll_ What is happening? â—Ź Pods are in “Evicted” status and must be kept â—Ź Controlling RS has been deleted and pods should be orphaned â—Ź Garbage collector fails to orphan them (remove ownerRef) â—Ź ReplicaSet has been Terminating for 2 months... â—Ź Root cause: mutating webhook â—‹ We modify the pod spec at creation â—‹ Mutating webhook is registered on pods for CREATE/UPDATE â—‹ We modify immutable fields â—‹ Garbage collector patch triggers this...
  • 90. @lbernail @roboll_ Takeaways â—Ź Looking at calls triggering HTTP errors help find issues â—‹ Misconfigured RBAC (403) â—‹ Applications doing calls they shouldn’t (403) â—‹ Expired certificates (401) â—‹ Other weird things
  • 92. @lbernail @roboll_ Conclusion â—Ź Audit logs can be incredibly valuable â—‹ Low-level understanding of Kubernetes â—‹ Detection of misconfigurations â—‹ Troubleshooting of issues â—‹ Identify performance issues â—Ź Taking advantage of them require some effort â—‹ Policies are not easy to get right â—‹ They are verbose and require a tool to analyze them
  • 93. Thank you We’re hiring! Visit our Kubecon booth or https://www.datadoghq.com/careers/ Or contact us directly: @lbernail laurent@datadoghq.com @roboll_ roboll@datadoghq.com