檢視次數:

Azure AKS 審核日誌可透過 Azure Event Hubs 獲取。使用 k8saudit-aks Falco 插件。

開始之前

  • Falco 使用 k8saudit-aksjson 插件構建。
  • AKS Cluster。

步驟

  1. 建立 Azure Resources。
    # Variables
RESOURCE_GROUP="${your resource group name}"
LOCATION="${your aks cluster location}" # example: eastus
AKS_CLUSTER_NAME="${your aks cluster name}"
EVENTHUB_NAMESPACE="${your event hub namespace}"
EVENTHUB_NAME="${your event hub name}"
STORAGE_ACCOUNT="${your storage account}"
BLOB_CONTAINER="${your blob container}"

# Create Event Hub Namespace
az eventhubs namespace create \
  --name "$EVENTHUB_NAMESPACE" \
  --resource-group "$RESOURCE_GROUP" \
  --location "$LOCATION" \
  --sku Standard

# Create Event Hub
az eventhubs eventhub create \
  --name "$EVENTHUB_NAME" \
  --namespace-name "$EVENTHUB_NAMESPACE" \
  --resource-group "$RESOURCE_GROUP" \
  --partition-count 2

# Enable AKS Diagnostic Settings
AKS_RESOURCE_ID=$(az aks show --name "$AKS_CLUSTER_NAME" --resource-group "$RESOURCE_GROUP" --query id -o tsv)
EVENTHUB_AUTH_RULE_ID=$(az eventhubs namespace authorization-rule show \
  --resource-group "$RESOURCE_GROUP" \
  --namespace-name "$EVENTHUB_NAMESPACE" \
  --name "RootManageSharedAccessKey" \
  --query "id" --output tsv)

az monitor diagnostic-settings create \
  --name "aks-audit-logs-diagnostics" \
  --resource "$AKS_RESOURCE_ID" \
  --event-hub-rule "$EVENTHUB_AUTH_RULE_ID" \
  --logs '[{"category": "kube-audit", "enabled": true}]'

# Create Storage Account for checkpoints
az storage account create \
  --name "$STORAGE_ACCOUNT" \
  --resource-group "$RESOURCE_GROUP" \
  --location "$LOCATION" \
  --sku Standard_LRS

az storage container create \
  --name "$BLOB_CONTAINER" \
  --account-name "$STORAGE_ACCOUNT"

# Get connection strings
EVENTHUB_CONNECTION_STRING=$(az eventhubs namespace authorization-rule keys list \
  --resource-group "$RESOURCE_GROUP" \
  --namespace-name "$EVENTHUB_NAMESPACE" \
  --name "RootManageSharedAccessKey" \
  --query primaryConnectionString -o tsv)

BLOB_CONNECTION_STRING=$(az storage account show-connection-string \
  --name "$STORAGE_ACCOUNT" \
  --resource-group "$RESOURCE_GROUP" \
  --query connectionString -o tsv)
  2. 更新 overrides.yaml 以啟用稽核日誌收集。
    visionOne:
    bootstrapToken: ...
    endpoint: ...
    exclusion:
        namespaces: [kube-system]
    ...
auditLogCollection:
    enabled: true
    provider: aks
    aks:
        eventHubConnectionString: "${event hub connection string from step 1}"
        eventHubName: "${event hub name from step 1}"
        blobStorageConnectionString: "${blob storage connection string from step 1}"
        blobStorageContainerName: "${blob storage container name from step 1}"