Updated on 2024-11-08 GMT+08:00

Container Audit Overview

What Is Container Audit?

Keep track of the operations and activities in your container clusters, gaining insight into every phase of the container lifecycle, including creating, starting, stopping, and destroying containers; as well as the communication and transmission between containers. Find and handle security problems through audit and analysis in a timely manner, ensuring the security and stability of container clusters.

Audit Objects

  • Cluster container: Kubernetes audit logs, Kubernetes events, container logs, and container commands
  • Independent container: container logs and container commands
  • SWR image repository: image repository logs

Scenario

If an abnormal operation or activity occurs in the container environment, you can analyze container audit logs to locate the occurrence time, track the event, and work out a solution.

Description

To enable container audit, the following conditions must be met:

  1. The cluster container or independent container has been connected to HSS, and is protected by the container edition.

    For more information, see Installing an Agent in a Cluster and Enabling Container Protection.

  2. Meet the prerequisites for certain audit objects, as shown in Table 1.
    Table 1 Audit prerequisites

    Object

    Audit Object

    Audit Prerequisite

    User-built or third-party cloud cluster

    Kubernetes audit logs

    1. Enable the cluster intrusion detection policy.

      For details, see Configuring Policies.

    2. Enable API server audit.

      For details, see Enabling the API Server Audit Function.

    Huawei Cloud CCE clusters

    Kubernetes audit logs

    On the CCE console, enable the collection of Kubernetes events, Kubernetes audit logs, and container logs. For details, see Configuring CCE Logs.

    Kubernetes audit events

    Container logs

    SWR private image repository

    Image repository logs

    You have used SWR and granted the operation permission (CTSOperatePolicy) for HSS. For details, see Authorization.

After container audit is enabled, operation and activity logs in the cluster are recorded on the HSS console. For details about how to view audit logs, see Viewing Container Audit Logs.