Audit Logging: Configuration and Analysis

Someone deletes a production namespace at 2 AM. Your monitoring fires, Slack lights up, and the on-call engineer scrambles to restore the damage. The first question everyone asks: who did this? Without audit logging, the answer is silence. The kube-apiserver processed the request, executed it, and moved on. No record, no trail, no accountability.

Kubernetes audit logging is the API server's flight recorder. Every request that hits the API server can generate a structured event capturing who made the request, what they asked for, when it happened, and from where. For the KCSA exam, audit logging falls under the Kubernetes Security Fundamentals domain (22% weight). You need to understand how audit policies control what gets recorded, how backends persist those records, and how security tools consume the event stream for threat detection.