Enable audit log collection for Gardener clusters

Views:

Gardener architecture separates the control plane (running on the seed cluster) from the workload plane (the shoot cluster). To collect audit logs, you need to install the Helm chart in both locations.

Before you begin
Step 1: Install shoot namespace on seed cluster
Step 2: Install Helm on shoot cluster
Install multiple shoots on the same seed
Port reference and configuration differences
Troubleshooting

Before you begin

Seed cluster access: You must have permission to access the Gardener seed cluster and install Helm charts in the shoot namespace.
Shoot cluster access: You must have permission to install Helm charts in the shoot cluster.
Kubectl configuration: Kubectl must be configured with contexts for both seed and shoot clusters.

Step 1: Install shoot namespace on seed cluster

Install the Helm chart in the shoot namespace on the seed cluster. This deploys the audit log collection components.

Create the seed-overrides.yaml:

visionOne:
  # Your Vision One bootstrap token
  bootstrapToken: "your-bootstrap-token"
  endpoint: "https://api.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs"

# Enable audit log collection
auditLogCollection:
  enabled: true
  provider: gardener
  gardener:
    # IMPORTANT: Set to true for seed cluster installation
    seedCluster: true

Install Helm chart:

# Switch to seed cluster context
kubectl config use-context <seed-cluster-context>

# Install in the shoot namespace
helm install \
  --values seed-overrides.yaml \
  --namespace shoot--<project>--<shoot-name> \
  trendmicro \
  https://github.com/trendmicro/visionone-container-security-helm/archive/main.tar.gz

Step 2: Install Helm on shoot cluster

Install the Helm chart in the shoot cluster. This deploys the standard Container Security components.

Create shoot-overrides.yaml:

visionOne:
  # Your Vision One bootstrap token (same as seed cluster)
  bootstrapToken: "your-bootstrap-token"
  endpoint: "https://api.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs"

# Enable audit log collection
auditLogCollection:
  enabled: true
  provider: gardener
  gardener:
    # IMPORTANT: Set to false (or omit) for shoot cluster installation
    seedCluster: false

Install Helm chart:

# Switch to shoot cluster context
kubectl config use-context <shoot-cluster-context>

# Install in trendmicro-system namespace
helm install \
  --values shoot-overrides.yaml \
  --namespace trendmicro-system \
  --create-namespace \
  trendmicro \
  https://github.com/trendmicro/visionone-container-security-helm/archive/main.tar.gz

Install multiple shoots on the same seed

To install the Helm chart in multiple shoot namespaces on the same seed cluster, you must configure different ports for each installation to avoid port conflicts.

The seed cluster components use hostNetwork: true to access the seed cluster API server. This means pods bind directly to the host node ports. If two installations use the same ports, the second installation will fail with the following error: bind: address already in use.

Install the first shoot namespace for the default ports:

# seed-values-shoot1.yaml
visionOne:
  bootstrapToken: "your-bootstrap-token-for-shoot-1"
  endpoint: "https://api.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs"
  auditLogCollector:
    webhookPort: 8030
  apiServerModifier:
    metricsPort: 8040
    healthProbePort: 8050
    webhookPort: 8060
  policyOperator:
    servicePort: 8070
    metricsPort: 8080
    healthProbePort: 8090

auditLogCollection:
  enabled: true
  provider: gardener
  gardener:
    seedCluster: true

Install the second shoot namespace for different ports:

# seed-values-shoot2.yaml
visionOne:
  bootstrapToken: "your-bootstrap-token-for-shoot-2"
  endpoint: "https://api.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs"
  auditLogCollector:
    webhookPort: 8130
  apiServerModifier:
    metricsPort: 8140
    healthProbePort: 8150
    webhookPort: 8160
  policyOperator:
    servicePort: 8170
    metricsPort: 8180
    healthProbePort: 8190

auditLogCollection:
  enabled: true
  provider: gardener
  gardener:
    seedCluster: true

Port reference and configuration differences

The following table shows the reference for port configuration:

Component	Port type	Default	Second install	Third install
auditLogCollector	webhookPort	8030	8130	8230
apiServerModifier	metricsPort	8040	8140	8240
apiServerModifier	healthProbePort	8050	8150	8250
apiServerModifier	webhookPort	8060	8160	8260
policyOperator	servicePort	8070	8170	8270
policyOperator	metricsPort	8080	8180	8280
policyOperator	healthProbePort	8090	8190	8290

The following table shows the differences between configurations:

Setting	Seed cluster	Shoot cluster
`auditLogCollection.gardener.seedCluster`	`true`	`false`
Installation namespace	`shoot--<project>--<name>`	`trendmicro-system`
Components deployed	audit-log-collector, api-server-modifier, policy-operator	Standard V1CS components
Port configuration required	Yes (for multi shoot namespace)	No
Host network	Yes	No

Troubleshooting

Port conflict error

The following error indicates a port conflict:

0/1 nodes are available: 1 node(s) didn't have free ports for the requested pod ports

Check if another installation is using the same ports and update the port configuration in your values file.