kind: KedaController
apiVersion: keda.sh/v1alpha1
metadata:
name: keda
namespace: keda
spec:
# ...
metricsServer:
# ...
auditConfig:
logFormat: "json" (1)
logOutputVolumeClaim: "pvc-audit-log" (2)
policy:
rules: (3)
- level: Metadata
omitStages: "RequestReceived" (4)
omitManagedFields: false (5)
lifetime: (6)
maxAge: "2"
maxBackup: "1"
maxSize: "50"- Documentation
- Red Hat OpenShift Service on AWS
- Nodes
- Automatically scaling pods with the Custom Metrics Autoscaler Operator
- Gathering audit logs history bug_report picture_as_pdf
Soon, all Red Hat OpenShift documentation will only be available on docs.redhat.com, the official location of all Red Hat product documentation. Get familiar with the updated experience today!
- About
- What's new
- Introduction to ROSA
- Architecture
- Tutorials
- Tutorials overview
- ROSA with HCP activation and account linking
- ROSA with HCP private offer acceptance and sharing
- Verifying Permissions for a ROSA STS Deployment
- Deploying ROSA with a Custom DNS Resolver
- Using AWS WAF and Amazon CloudFront to protect ROSA workloads
- Using AWS WAF and AWS ALBs to protect ROSA workloads
- Deploying OpenShift API for Data Protection on a ROSA cluster
- AWS Load Balancer Operator on ROSA
- Configuring Microsoft Entra ID (formerly Azure Active Directory) as an identity provider
- Using AWS Secrets Manager CSI on ROSA with STS
- Using AWS Controllers for Kubernetes on ROSA
- Deploying the External DNS Operator on ROSA
- Dynamically issuing certificates using the cert-manager Operator on ROSA
- Assigning consistent egress IP for external traffic
- Updating component routes with custom domains and TLS certificates
- Getting started with ROSA
- Deploying an application
- Getting started
- Prepare your environment
- Install ROSA with HCP clusters
- Creating ROSA with HCP clusters using the default options
- Creating a ROSA cluster using Terraform
- Creating ROSA with HCP clusters using a custom AWS KMS encryption key
- Creating a private cluster on ROSA with HCP
- Creating ROSA with HCP clusters with external authentication
- Creating ROSA with HCP clusters without a CNI plugin
- Deleting a ROSA with HCP cluster
- Install ROSA Classic clusters
- Creating a ROSA cluster with STS using the default options
- Creating a ROSA cluster with STS using customizations
- Creating a ROSA (classic architecture) cluster using Terraform
- Interactive cluster creation mode reference
- Creating an AWS PrivateLink cluster on ROSA
- Configuring a shared virtual private cloud for ROSA clusters
- Accessing a ROSA cluster
- Configuring identity providers using Red Hat OpenShift Cluster Manager
- Revoking access to a ROSA cluster
- Deleting a ROSA cluster
- Deploying ROSA without AWS STS
- AWS prerequisites for ROSA
- Understanding the ROSA deployment workflow
- Required AWS service quotas
- Configuring your AWS account
- Installing the ROSA CLI
- Creating a ROSA cluster without AWS STS
- Configuring a private cluster
- Deleting access to a ROSA cluster
- Deleting a ROSA cluster
- Command quick reference for creating clusters and users
- Support
- Support overview
- Managing your cluster resources
- Approved Access
- Getting support
- Remote health monitoring with connected clusters
- Gathering data about your cluster
- Summarizing cluster specifications
- Troubleshooting
- Troubleshooting ROSA installations
- Troubleshooting networking
- Verifying node health
- Troubleshooting Operator issues
- Investigating pod issues
- Troubleshooting storage issues
- Investigating monitoring issues
- Diagnosing OpenShift CLI (oc) issues
- Troubleshooting expired offline access tokens
- Troubleshooting IAM roles
- Troubleshooting cluster deployments
- Red Hat OpenShift Service on AWS managed resources
- Web console
- CLI tools
- Red Hat OpenShift Cluster Manager
- Cluster administration
- Security and compliance
- Authentication and authorization
- Authentication and authorization overview
- Understanding authentication
- Managing user-owned OAuth access tokens
- Configuring identity providers
- Using RBAC to define and apply permissions
- Understanding and creating service accounts
- Using service accounts in applications
- Using a service account as an OAuth client
- Assuming an AWS IAM role for a service account
- Scoping tokens
- Using bound service account tokens
- Managing security context constraints
- Understanding and managing pod security admission
- Syncing LDAP groups
- Upgrading
- CI/CD
- Images
- Overview of images
- Overview of the Cluster Samples Operator
- Using the Cluster Samples Operator with an alternate registry
- Creating images
- Managing images
- Managing image streams
- Using image streams with Kubernetes resources
- Triggering updates on image stream changes
- Image configuration resources (Classic)
- Image configuration resources (HCP)
- Using templates
- Using Ruby on Rails
- Using images
- Add-on services
- Storage
- Registry
- Operators
- Operators overview
- Understanding Operators
- User tasks
- Administrator tasks
- Developing Operators
- About the Operator SDK
- Installing the Operator SDK CLI
- Go-based Operators
- Ansible-based Operators
- Helm-based Operators
- Defining cluster service versions (CSVs)
- Working with bundle images
- Complying with pod security admission
- Validating Operators using the scorecard
- Validating Operator bundles
- High-availability or single-node cluster detection and support
- Configuring built-in monitoring with Prometheus
- Configuring leader election
- Object pruning utility
- Migrating package manifest projects to bundle format
- Operator SDK CLI reference
- Migrating to Operator SDK v0.1.0
- Networking
- About networking
- Networking Operators
- Understanding the DNS Operator
- Understanding the Ingress Operator
- Network verification
- Configuring a cluster-wide proxy during installation
- CIDR range definitions
- Network security
- OVN-Kubernetes network plugin
- OpenShift SDN network plugin
- Configuring Routes
- Building applications
- Building applications overview
- Projects
- Creating applications
- Viewing application composition using the Topology view
- Working with Helm charts
- Deployments
- Quotas
- Using config maps with applications
- Monitoring project and application metrics using the Developer perspective
- Monitoring application health
- Editing applications
- Working with quotas
- Pruning objects to reclaim resources
- Idling applications
- Deleting applications
- Using the Red Hat Marketplace
- Backing up and restoring applications
- Nodes
- Overview of nodes
- Working with pods
- Automatically scaling pods with the Custom Metrics Autoscaler Operator
- Release notes
- Custom Metrics Autoscaler Operator overview
- Installing the custom metrics autoscaler
- Understanding the custom metrics autoscaler triggers
- Understanding the custom metrics autoscaler trigger authentications
- Pausing the custom metrics autoscaler
- Gathering audit logs
- Gathering debugging data
- Viewing Operator metrics
- Understanding how to add custom metrics autoscalers
- Removing the Custom Metrics Autoscaler Operator
- Controlling pod placement onto nodes (scheduling)
- About pod placement using the scheduler
- Placing pods relative to other pods using pod affinity and anti-affinity rules
- Controlling pod placement on nodes using node affinity rules
- Placing pods onto overcommited nodes
- Placing pods on specific nodes using node selectors
- Controlling pod placement using pod topology spread constraints
- Using jobs and daemon sets
- Working with nodes
- Working with containers
- Understanding containers
- Using Init Containers to perform tasks before a pod is deployed
- Using volumes to persist container data
- Mapping volumes using projected volumes
- Allowing containers to consume API objects
- Copying files to or from a container
- Executing remote commands in a container
- Using port forwarding to access applications in a container
- Working with clusters
- Observability
- Observability overview
- Monitoring
- Monitoring overview
- Accessing monitoring for user-defined projects
- Configuring the monitoring stack
- Disabling monitoring for user-defined projects
- Enabling alert routing for user-defined projects
- Managing metrics
- Managing alerts
- Reviewing monitoring dashboards
- Accessing third-party monitoring APIs
- Troubleshooting monitoring issues
- Config map reference for the Cluster Monitoring Operator
- Logging
- Release notes
- Support
- Troubleshooting logging
- About Logging
- Installing Logging
- Updating Logging
- Visualizing logs
- Configuring your Logging deployment
- Log collection and forwarding
- Log storage
- Logging alerts
- Performance and reliability tuning
- Scheduling resources
- Uninstalling Logging
- Exported fields
- API reference
- Glossary
- Service Mesh
- Service Mesh 2.x
- About OpenShift Service Mesh
- Service Mesh 2.x release notes
- Service Mesh architecture
- Service Mesh deployment models
- Service Mesh and Istio differences
- Preparing to install Service Mesh
- Installing the Operators
- Creating the ServiceMeshControlPlane
- Adding workloads to a service mesh
- Enabling sidecar injection
- Upgrading Service Mesh
- Managing users and profiles
- Security
- Traffic management
- Metrics, logs, and traces
- Performance and scalability
- Deploying to production
- Federation
- Extensions
- 3scale WebAssembly for 2.1
- 3scale Istio adapter for 2.0
- Troubleshooting Service Mesh
- Control plane configuration reference
- Kiali configuration reference
- Jaeger configuration reference
- Uninstalling Service Mesh
- Service Mesh 2.x
- Serverless
- Virtualization
- About
- Getting started
- Installing
- Post-installation configuration
- Updating
- Virtual machines
- Creating VMs from Red Hat images
- Creating VMs from custom images
- Connecting to VM consoles
- Configuring SSH access to VMs
- Editing virtual machines
- Editing boot order
- Deleting virtual machines
- Exporting virtual machines
- Managing virtual machine instances
- Controlling virtual machine states
- Using virtual Trusted Platform Module devices
- Managing virtual machines with OpenShift Pipelines
- Advanced virtual machine management
- Working with resource quotas for virtual machines
- Specifying nodes for virtual machines
- Configuring certificate rotation
- Configuring the default CPU model
- UEFI mode for virtual machines
- Configuring PXE booting for virtual machines
- Scheduling virtual machines
- About high availability for virtual machines
- Control plane tuning
- VM disks
- Networking
- Networking configuration overview
- Connecting a VM to the default pod network
- Exposing a VM by using a service
- Connecting a VM to an OVN-Kubernetes secondary network
- Connecting a VM to a service mesh
- Configuring a dedicated network for live migration
- Configuring and viewing IP addresses
- Managing MAC address pools for network interfaces
- Storage
- Storage configuration overview
- Configuring storage profiles
- Managing automatic boot source updates
- Reserving PVC space for file system overhead
- Configuring local storage by using HPP
- Enabling user permissions to clone data volumes across namespaces
- Configuring CDI to override CPU and memory quotas
- Preparing CDI scratch space
- Using preallocation for data volumes
- Managing data volume annotations
- Live migration
- Nodes
- Monitoring
- Support
- Backup and restore
×
Gathering audit logs
You can gather audit logs, which are a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system.
For example, audit logs can help you understand where an autoscaling request is coming from. This is key information when backends are getting overloaded by autoscaling requests made by user applications and you need to determine which is the troublesome application.
Configuring audit logging
You can configure auditing for the Custom Metrics Autoscaler Operator by editing the KedaController custom resource. The logs are sent to an audit log file on a volume that is secured by using a persistent volume claim in the KedaController CR.
Prerequisites
-
The Custom Metrics Autoscaler Operator must be installed.
Procedure
-
Edit the
KedaControllercustom resource to add theauditConfigstanza:1 Specifies the output format of the audit log, either legacyorjson.2 Specifies an existing persistent volume claim for storing the log data. All requests coming to the API server are logged to this persistent volume claim. If you leave this field empty, the log data is sent to stdout. 3 Specifies which events should be recorded and what data they should include: -
None: Do not log events. -
Metadata: Log only the metadata for the request, such as user, timestamp, and so forth. Do not log the request text and the response text. This is the default. -
Request: Log only the metadata and the request text but not the response text. This option does not apply for non-resource requests. -
RequestResponse: Log event metadata, request text, and response text. This option does not apply for non-resource requests.
4 Specifies stages for which no event is created. 5 Specifies whether to omit the managed fields of the request and response bodies from being written to the API audit log, either trueto omit the fields orfalseto include the fields.6 Specifies the size and lifespan of the audit logs. -
maxAge: The maximum number of days to retain audit log files, based on the timestamp encoded in their filename. -
maxBackup: The maximum number of audit log files to retain. Set to0to retain all audit log files. -
maxSize: The maximum size in megabytes of an audit log file before it gets rotated.
-
Verification
-
View the audit log file directly:
-
Obtain the name of the
keda-metrics-apiserver-*pod:oc get pod -n kedaExample outputNAME READY STATUS RESTARTS AGE custom-metrics-autoscaler-operator-5cb44cd75d-9v4lv 1/1 Running 0 8m20s keda-metrics-apiserver-65c7cc44fd-rrl4r 1/1 Running 0 2m55s keda-operator-776cbb6768-zpj5b 1/1 Running 0 2m55s -
View the log data by using a command similar to the following:
$ oc logs keda-metrics-apiserver-<hash>|grep -i metadata (1)1 Optional: You can use the grepcommand to specify the log level to display:Metadata,Request,RequestResponse.For example:
$ oc logs keda-metrics-apiserver-65c7cc44fd-rrl4r|grep -i metadataExample output... {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"4c81d41b-3dab-4675-90ce-20b87ce24013","stage":"ResponseComplete","requestURI":"/healthz","verb":"get","user":{"username":"system:anonymous","groups":["system:unauthenticated"]},"sourceIPs":["10.131.0.1"],"userAgent":"kube-probe/1.28","responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-02-16T13:00:03.554567Z","stageTimestamp":"2023-02-16T13:00:03.555032Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}} ...
-
-
Alternatively, you can view a specific log:
-
Use a command similar to the following to log into the
keda-metrics-apiserver-*pod:$ oc rsh pod/keda-metrics-apiserver-<hash> -n kedaFor example:
$ oc rsh pod/keda-metrics-apiserver-65c7cc44fd-rrl4r -n keda -
Change to the
/var/audit-policy/directory:sh-4.4$ cd /var/audit-policy/ -
List the available logs:
sh-4.4$ lsExample outputlog-2023.02.17-14:50 policy.yaml -
View the log, as needed:
sh-4.4$ cat <log_name>/<pvc_name>|grep -i <log_level> (1)1 Optional: You can use the grepcommand to specify the log level to display:Metadata,Request,RequestResponse.For example:
sh-4.4$ cat log-2023.02.17-14:50/pvc-audit-log|grep -i RequestExample output... {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"63e7f68c-04ec-4f4d-8749-bf1656572a41","stage":"ResponseComplete","requestURI":"/openapi/v2","verb":"get","user":{"username":"system:aggregator","groups":["system:authenticated"]},"sourceIPs":["10.128.0.1"],"responseStatus":{"metadata":{},"code":304},"requestReceivedTimestamp":"2023-02-17T13:12:55.035478Z","stageTimestamp":"2023-02-17T13:12:55.038346Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""}} ...
-