Skip to content

Commit efe9f22

Browse files
kelbrown20kelbrown20
authored
Merge pull request #62776 from kelbrown20/OSDOCS-5494-authetication-docs-for-microshift
OSDOCS#7431: Viewing audit logs in troubleshooting MicroShift docs
2 parents f4483de + c9aa4ad commit efe9f22

File tree

3 files changed

+63
-0
lines changed

3 files changed

+63
-0
lines changed

_topic_maps/_topic_map_ms.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -189,5 +189,7 @@ Topics:
189189
File: microshift-troubleshoot-cluster
190190
- Name: Troubleshoot updates
191191
File: microshift-troubleshoot-updates
192+
- Name: Checking audit logs
193+
File: microshift-audit-logs
192194
- Name: Additional information
193195
File: microshift-things-to-know

microshift_troubleshooting/microshift-audit-logs.adoc

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
:_content-type: ASSEMBLY
2+
[id="audit-logs-with-microshift"]
3+
= Checking audit logs on {product-title}
4+
include::_attributes/attributes-microshift.adoc[]
5+
:context: microshift-audit-logs
6+
7+
toc::[]
8+
9+
include::modules/microshift-viewing-audit-logs.adoc[leveloffset=+1]

modules/microshift-viewing-audit-logs.adoc

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
// Module included in the following assemblies:
2+
//
3+
//microshift_troubleshooting/microshift-audit-logs.adoc
4+
5+
:_content-type: PROCEDURE
6+
[id="microshift-security-context-constraints-alert-eval_{context}"]
7+
= Identifying pod security violations through audit logs
8+
9+
You can identify pod security admission violations on a workload by viewing the server audit logs. The following procedure shows you how to access the audit logs and parse them to find pod security admission violations in a workload.
10+
11+
.Prerequisites
12+
13+
* You have installed `jq`.
14+
* You have access to the cluster as a user with the `cluster-admin` role.
15+
16+
.Procedure
17+
18+
. To retrieve the node name, run the following command:
19+
+
20+
[source,terminal]
21+
----
22+
$ <node_name>=$(oc get node -ojsonpath='{.items[0].metadata.name}')
23+
----
24+
. To view the audit logs, run the following command:
25+
+
26+
[source,terminal]
27+
----
28+
$ oc adm node-logs <node_name> --path=kube-apiserver/
29+
----
30+
+
31+
.Example output
32+
[source,terminal]
33+
----
34+
rhel-92.lab.local audit-2023-08-18T18-25-41.663.log
35+
rhel-92.lab.local audit-2023-08-19T11-21-29.225.log
36+
rhel-92.lab.local audit-2023-08-20T04-16-09.622.log
37+
rhel-92.lab.local audit-2023-08-20T21-11-41.163.log
38+
rhel-92.lab.local audit-2023-08-21T14-06-10.402.log
39+
rhel-92.lab.local audit-2023-08-22T06-35-10.392.log
40+
rhel-92.lab.local audit-2023-08-22T23-26-27.667.log
41+
rhel-92.lab.local audit-2023-08-23T16-52-15.456.log
42+
rhel-92.lab.local audit-2023-08-24T07-31-55.238.log
43+
----
44+
45+
. To parse the affected audit logs, enter the following command:
46+
+
47+
[source,terminal]
48+
----
49+
$ oc adm node-logs <node_name> --path=kube-apiserver/audit.log \
50+
| jq -r 'select((.annotations["pod-security.kubernetes.io/audit-violations"] != null) and (.objectRef.resource=="pods")) | .objectRef.namespace + " " + .objectRef.name + " " + .objectRef.resource' \
51+
| sort | uniq -c
52+
----

0 commit comments

Comments
 (0)