Logo of Trend Micro

Enable Cluster Auditing with Simple Log Service

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: AlibabaCloud-ACK-001

Ensure that cluster auditing with Simple Log Service is enabled for your Container Service for Kubernetes (ACK) clusters. Simple Log Service is a comprehensive real-time data logging solution, facilitating the seamless handling of log collection, shipping, search, storage, and analysis. The service provides a user-friendly interface for accessing the Log Viewer and an API for efficient log management. Simple Log Service automatically captures, processes, and stores container and audit logs in a dedicated persistent datastore, collecting container logs from your containers and audit logs from kube-apiserver or deployed ingress, including cluster activity events.

Security

Enabling Simple Log Service for ACK cluster auditing centralizes log collection, provides search and analysis capabilities, and enables correlation of logs across different ACK resources, facilitating better troubleshooting, performance monitoring, and root cause identification.

Audit

To determine if cluster auditing with Simple Log Service is enabled for your ACK clusters, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

03 In the left navigation panel, under Overview, choose Clusters.

04 Click on the name (link) of the ACK cluster that you want to examine, listed in the Cluster Name/ID column.

05 In the ACK resource navigation panel, under Security, choose Cluster Auditing.

06 Check the Cluster Auditing dashboard available for the selected cluster. If there is no Cluster Auditing dashboard available, instead a Get Started page with the following message is displayed: Enable Cluster Auditing Now - The Log Service or Cluster Auditing feature is not enabled on the current cluster., cluster auditing with Simple Log Service is not enabled for the selected ACK cluster.

07 Repeat steps no. 4 – 6 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run GET /clusters command (OSX/Linux/UNIX) to describe the configuration details for each Container Service for Kubernetes (ACK) cluster provisioned in your Alibaba Cloud account: 

aliyun cs GET /clusters
  --header "Content-Type=application/json;"
  --body "{}"

02 The command output should return the configuration information available for each available ACK cluster (including the cluster ID, i.e. "cluster_id"): 

[
	{
		"cluster_id": "abcd1234abcd1234abcd1234abcd1234a",
		"cluster_spec": "ack.standard",
		"cluster_type": "ManagedKubernetes",
		"created": "2024-02-05T17:44:26+08:00",
		"current_version": "1.28.3-aliyun.1",
		"deletion_protection": false,
		"init_version": "1.28.3-aliyun.1",
		"profile": "Default",
		"region_id": "eu-west-1",
		"size": 1,
		"state": "running",
		"updated": "2024-02-05T17:46:49+08:00",
		"zone_id": "eu-west-1a"
	},

	...

	{
		"cluster_id": "1234abcd1234abcd1234abcd1234abcd1",
		"cluster_spec": "ack.standard",
		"cluster_type": "ManagedKubernetes",
		"created": "2024-02-05T16:40:31+08:00",
		"current_version": "1.28.3-aliyun.1",
		"deletion_protection": false,
		"init_version": "1.28.3-aliyun.1",
		"profile": "Default",
		"region_id": "eu-west-1",
		"size": 1,
		"state": "running",
		"subnet_cidr": "10.65.0.0/16",
		"updated": "2024-02-05T16:42:53+08:00",
		"zone_id": "eu-west-1a"
	}
]

03 Run GET /clusters/[cluster_id] command (OSX/Linux/UNIX) with the ID of the ACK cluster that you want to examine as the identifier parameter, to describe the configuration metadata available for the selected cluster: 

aliyun cs GET /clusters/abcd1234abcd1234abcd1234abcd1234a
  --header "Content-Type=application/json;"
  --body "{}"
  --output cols=meta_data

04 The command output should return the configuration metadata available for the selected ACK resource: 

{
	"Addons": [
		{
			"name": "gateway-api",
			"version": "1.0.1"
		},
		{
			"name": "cloud-controller-manager",
			"version": "v2.8.1-mgk"
		},
		{
			"disabled": true,
			"name": "nginx-ingress-controller"
		},
		{
			"name": "ack-scheduler",
			"version": "v1.28.3-aliyun-6.3.5b0d1234"
		},
		{
			"config": "{\"ENITrunking\":\"false\",\"IPVlan\":\"false\",\"NetworkPolicy\":\"false\"}",
			"name": "terway-eniip",
			"version": "v1.6.3"
		}
	],

	...

	"AuditProjectName": "",

	...

	"CloudMonitorVersion": "",
	"DockerVersion": "",
	"EtcdVersion": "v3.5.9",
	"ExtraCertSAN": null,
	"HasSandboxRuntime": false,
	"IPStack": "ipv4",
	"ImageType": "AliyunLinux3",
	"KubernetesVersion": "1.28.3-aliyun.1",
	"Timezone": "",
	"VSwitchIds": null,
	"VersionSpec": null,
	"alicloud-monitor-controllerVersion": "v1.8.4",
	"cloud-controller-managerVersion": "v2.8.1",
	"corednsVersion": "v1.9.3.10-7dfca203-aliyun",
	"csi-pluginVersion": "v1.28.3-eb95171-aliyun",
	"csi-provisionerVersion": "v1.28.3-eb95171-aliyun",
	"gateway-apiVersion": "1.0.1",
	"kube-apiserverVersion": "v1.28.3-aliyun.1",
	"kube-controller-managerVersion": "v1.28.3-aliyun.1",
	"metrics-serverVersion": "v0.3.9.7-85b3699-aliyun",
	"storage-operatorVersion": "v1.28.2-be0cf84-aliyun",
	"terway-eniipVersion": "v1.6.3"
}

Check the "AuditProjectName" attribute value to identify the Simple Log Service project configured for cluster auditing. If the "AuditProjectName" attribute has no value (i.e. ""), there is no Simple Log Service project configured to collect audit logs for the specified cluster, therefore cluster auditing with Simple Log Service is not enabled for the selected ACK cluster.

Remediation / Resolution

To enable cluster auditing with Simple Log Service for your Container Service for Kubernetes (ACK) clusters, perform the following operations:

Enabling ACK cluster auditing via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Simple Log Service console available at https://sls.console.aliyun.com.

03 Choose Create Project to create a new Simple Log Service project for managing your ACK cluster audit logs.

04 On the Create Project setup page, provide a unique name for your new project, select the region where your ACK cluster resides, choose the appropriate resource group and logging level, and select Create to create your new Simple Log Service project.

05 Choose Create Logstore and follow the setup wizard to create a Logstore for log data storage.

06 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

07 In the left navigation panel, under Overview, choose Clusters.

08 Click on the name (link) of the ACK cluster that you want to configure, listed in the Cluster Name/ID column.

09 In the ACK resource navigation panel, under Security, choose Cluster Auditing.

10 Select the name of your Simple Log Service project from the Log Service Project Name dropdown list and choose Enable to enable cluster auditing with Simple Log Service for the selected ACK cluster.

11 Repeat steps no. 8 – 10 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

References

Publication date Feb 22, 2024

Related AlibabaCloud-ACK rules