检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
What Should I Do If Excessive Docker Audit Logs Affect the Disk I/O? Symptom There are a large number of Docker audit logs on existing nodes in some clusters. Due to OS kernel defects, it is slightly possible that I/Os are suspended.
Audit and Logging Audit Cloud Trace Service (CTS) records operations on the cloud resources in your account. You can use the logs generated by CTS to perform security analysis, track resource changes, audit compliance, and locate faults.
CCE Operations Supported by Cloud Trace Service Cloud Trace Service (CTS) records operations on cloud service resources, allowing users to query, audit, and backtrack the resource operation requests initiated from the management console or open APIs as well as responses to the requests
What Should I Do If Excessive Docker Audit Logs Affect the Disk I/O? How Do I Fix an Abnormal Container or Node Due to No Thin Pool Disk Space? Where Can I Get the Listening Ports of CCE Worker Nodes?
Unified security and O&M management makes it easy to configure and audit security policies. For example, an enterprise IT account, the resource owner, creates a VPC and subnets and shares multiple subnets with other accounts.
Control Plane Audit Logs: displays all control plane audit logs in the default log stream audit-{Cluster ID} of the default log group k8s-log-{Cluster ID}. Global Log Query: You can view logs in the log streams of all log groups. You can specify a log stream to view the logs.
Audit Logs Table 1 Audit logs Log Type Component Log Stream Description Control plane audit logs audit audit-{{clusterID}} An audit log is a chronological record of user operations on Kubernetes APIs and control plane activities for security.
Discarded Kubernetes APIs Check Items The system scans the audit logs of the past day to check whether the user calls the deprecated APIs of the target Kubernetes version. Due to the limited time range of audit logs, this check item is only an auxiliary method.
This is a common practice in access control, service registration, service discovery, and log audit of static IP addresses.
Logging Overview Collecting Container Logs Collecting Kubernetes Events Collecting Control Plane Component Logs Collecting Audit Logs Collecting NGINX Ingress Controller Logs Parent Topic: O&M
Options: control, audit, and system-addon.
Collecting Kubernetes Events Kubernetes audit log Kubernetes audit log audit-{Cluster ID} The option can be enabled separately. Collecting Audit Logs Control plane component log kube-apiserver log kube-apiserver-{Cluster ID} The option can be enabled separately.
Figure 2 Configuring control plane component logs Disabling control plane audit log collection Choose Logging > Control Plane Audit Logs, click Configure Control Plane Audit Logs, and deselect the component whose logs do not need to be collected.
Collect control plane component logs and Kubernetes audit logs from the CCE control plane and add them to the LTS log streams in your account. For details, see Collecting Control Plane Component Logs and Collecting Audit Logs.
Logging CCE works with LTS to collect logs of control plane components (kube-apiserver, kube-controller-manager, and kube-scheduler), Kubernetes audit logs, Kubernetes events, and container logs (stdout logs, text logs, and node logs).
Table 2 Pod security admission labels Mode Target Object Description enforce Pods Policy violations will cause the pod to be rejected. audit Workloads (such as Deployment and job) Policy violations will trigger the addition of an audit annotation to the event recorded in the audit
NOTE: Due to the limited time range of audit logs, this check item is only an auxiliary method. APIs to be deprecated may have been used in the cluster, but their usage is not included in the audit logs of the past day.
Overview Cloud Trace Service (CTS) CTS records operations on your cloud resources, allowing you to obtain, audit, and backtrack resource operation requests initiated from the management console or open APIs as well as responses to these requests.
Security Shared Responsibilities Data Protection Audit and Logging Security Risk Monitoring Certificates
Cluster logs are configured successfully. { "ttl_in_days" : 7, "log_configs" : [ { "name" : "kube-controller-manager", "enable" : true }, { "name" : "kube-apiserver", "enable" : true }, { "name" : "kube-scheduler", "enable" : true }, { "name" : "audit
