Kubernetes Audit Logging: Containerized Apps are Only as Secure as the Cluster Where They Run

Webinar Registration

Applications are increasingly being containerized and when that happens, they invariably find their way to a Kubernetes cluster. The security relationship between containers and Kubernetes is the same as that between VMs, the hyper visor and extended virtualization infrastructure they run on.

The point is, containerized apps are only as safe as the Kubernetes cluster in which they run. Your Kubernetes cluster is probably hosted in the cloud, but that shouldn’t matter when it comes to security monitoring. 

To ensure a secure environment, you need to know what’s happening inside that cluster:

  • Who is creating new pods and what container images are they based on?
  • When are RBAC permissions and role bindings changed?
  • Which IP addresses are making API requests to the cluster?
  • Who is messing with persistent storage volumes?
  • Are DevOps admins storing secrets in configmaps?
  • Who attached to that pod or node and ran arbitrary commands?

In this real training for free session, I will introduce you to Kubernetes audit logging. You will learn about:

  • Kubernetes audit policy – how to audit important events without killing the cluster with lots of useless noise events.
  • Audit backends – are a Kubernetes construct for persisting audit events to external storage and/or your logging pipeline. I’ll explain the 3 backend types: log, webhook and dynamic.

I’ll show you some good audit policies to start from to make sure you get the right events, and I’ll provide some examples of real Kubernetes audit events so that you get a feel for the type of activity you can track, what it looks like and how it’s formatted. 

Next, Rich Bakos and Kyle Senescu from LogRhythm will advance the training and put my points in context with security considerations, including:

  • Ensuring an approved container images is created.
  • Ensuring the API isn’t open to the outside world (only a list of approved IPs should be calling the API)
  • Tracking traffic inbound and outbound from the cluster & pods.
  • Monitoring and visualizing container log data, and what’s happening within the application itself

Join us for this real-training-for-free session.

First Name:   
Last Name:   
Work Email:  
Zip/Postal Code:  
Job Title:

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources