检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
What Should I Do If Excessive Docker Audit Logs Affect the Disk I/O? Symptom There are a large number of Docker audit logs on existing nodes in some clusters. Due to OS kernel defects, it is slightly possible that I/Os are suspended.
Audit and Logging Audit Cloud Trace Service (CTS) records operations on the cloud resources in your account. You can use the logs generated by CTS to perform security analysis, track resource changes, audit compliance, and locate faults.
What Should I Do If Excessive Docker Audit Logs Affect the Disk I/O? How Do I Fix an Abnormal Container or Node Due to No Thin Pool Disk Space? Where Can I Get the Listening Ports of CCE Worker Nodes?
Unified security and O&M management makes it easy to configure and audit security policies. For example, an enterprise IT account, the resource owner, creates a VPC and subnets and shares multiple subnets with other accounts.
Kubernetes events Collecting Kubernetes Events Control plane component logs Collecting Control Plane Component Logs Kubernetes audit logs Collecting Audit Logs NGINX Ingress Controller add-on logs Collecting NGINX Ingress Controller Logs AOM Kubernetes events If the cluster version
CCE Operations Supported by CTS Cloud Trace Service (CTS) records operations on cloud service resources, allowing you to query, audit, and backtrack the resource operation requests initiated from the CCE console or open APIs as well as responses to the requests.
Audit Logs Table 1 Audit logs Log Type Component Log Stream Description Control plane audit logs audit audit-{{clusterID}} An audit log is a chronological record of user operations on Kubernetes APIs and control plane activities for security.
Discarded Kubernetes APIs Check Items The system scans the audit logs of the past day to check whether the user calls the deprecated APIs of the target Kubernetes version. Due to the limited time range of audit logs, this check item is only an auxiliary method.
Logging Overview Collecting Container Logs Collecting Kubernetes Events Collecting Control Plane Component Logs Collecting Audit Logs Collecting NGINX Ingress Controller Logs Parent Topic: O&M
Constraints The value can be control, audit, or system-addon. Range control: specifies the logs of the control plane components. audit: specifies the audit logs on the control plane. system-addon: specifies the logs of the system add-ons.
Collecting Kubernetes Events Kubernetes audit log Kubernetes audit log audit-{Cluster ID} The option can be enabled separately. Collecting Audit Logs Control plane component log kube-apiserver log kube-apiserver-{Cluster ID} The option can be enabled separately.
Figure 2 Configuring control plane component logs Disabling control plane audit log collection Choose Logging > Control Plane Audit Logs, click Configure Control Plane Audit Logs, and deselect the component whose logs do not need to be collected.
Collect control plane component logs and Kubernetes audit logs from the CCE control plane and add them to the LTS log streams in your account. For details, see Collecting Control Plane Component Logs and Collecting Audit Logs.
Logging CCE works with LTS to collect logs of control plane components (kube-apiserver, kube-controller-manager, and kube-scheduler), Kubernetes audit logs, Kubernetes events, and container logs (stdout logs, text logs, and node logs).
You can use the following examples to learn how to query a specific trace: Use CTS to audit Elastic Volume Service (EVS) creation and deletion operations from the last two weeks. For details, see Security Auditing.
Table 2 Pod security admission labels Mode Target Object Description enforce Pods Policy violations will cause the pod to be rejected. audit Workloads (such as Deployment and job) Policy violations will trigger the addition of an audit annotation to the event recorded in the audit
NOTE: Due to the limited time range of audit logs, this check item is only an auxiliary method. APIs to be deprecated may have been used in the cluster, but their usage is not included in the audit logs of the past day.
Overview Cloud Trace Service (CTS) CTS records operations on your cloud resources, allowing you to obtain, audit, and backtrack resource operation requests initiated from the management console or open APIs as well as responses to these requests.
Security Shared Responsibilities Data Protection Audit and Logging Security Risk Monitoring Certificates
Range control: specifies the logs of the control plane components. audit: specifies the audit logs on the control plane. system-addon: specifies the logs of the system add-ons.
