Kubernetes Audit Logs for Access Monitoring

Every action in a Kubernetes cluster passes through the API server. Creating a Deployment, reconciling a ReplicaSet, reading a Secret: all of it flows through kube-apiserver. Without audit logging enabled, none of it is recorded. No trail, no accountability, no way to answer "who deleted that namespace at 3 AM?"

Kubernetes audit logging solves this by capturing a chronological record of every API request. The raw firehose of JSON is useless on its own. You need a well-crafted audit policy that filters noise and captures security-relevant events at the right verbosity level. This article covers audit policy structure, enabling audit logging on a kubeadm cluster, reading and analyzing audit events, and connecting audit logs to Falco for real-time alerting. This maps directly to the CKS exam competency "Use Kubernetes audit logs to monitor access" in the Monitoring, Logging and Runtime Security domain (20%).