This document explains how to enable K3s audit logging for OpsRamp NextGen Gateway. It covers Kubernetes cluster-level audit logging to track changes within the NextGen Gateway Kubernetes cluster (K3s or customer-managed Kubernetes environments).
Audit logging provides a record of who performed an action, what action was performed, which resource was affected, and when the action occurred. This supports troubleshooting, incident investigations, and security/compliance needs.
Why This Change Is Needed
Current audit reports are incomplete and do not capture:
- Kubernetes cluster–level changes, including Pod lifecycle operations, Namespace create/delete, Workloads Services, ingresses, network policies, RBAC changes, and so on.
Cluster-level audit logging
The NextGen Gateway Kubernetes cluster must have Kubernetes audit logging enabled (where supported) to record key API activity.
Prerequisites
For K3s audit logging (ISO/OVA / K3s-based deployments), you need:
- Administrative access to the gateway host (sudo/root)
- Ability to edit files under /etc/rancher/k3s/
- A maintenance window to restart K3s
Procedure
The following section explains the steps to enable K3s audit logging for NextGen Gateway.
Step 1: Create the audit policy
Create or update the audit policy file /etc/rancher/k3s/audit-policy.yaml using the following Command:
vi /etc/rancher/k3s/audit-policy.yamlYAML
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# ConfigMaps and Secrets (cluster configuration)
- level: RequestResponse
verbs: ["create","update","patch","delete"]
resources:
- group: ""
resources: ["configmaps", "secrets"]
# Workloads (deployments, daemonsets, statefulsets, jobs, cronjobs)
- level: RequestResponse
verbs: ["create","update","patch","delete"]
resources:
- group: "apps"
resources: ["deployments", "statefulsets", "daemonsets", "replicasets"]
- group: "batch"
resources: ["jobs", "cronjobs"]
# Networking and Service configuration
- level: RequestResponse
verbs: ["create","update","patch","delete"]
resources:
- group: ""
resources: ["services"]
- group: "networking.k8s.io"
resources: ["networkpolicies", "ingresses"]
# RBAC configuration
- level: RequestResponse
verbs: ["create","update","patch","delete"]
resources:
- group: "rbac.authorization.k8s.io"
resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
# Namespace, LimitRange, ResourceQuota config
- level: RequestResponse
verbs: ["create","update","patch","delete"]
resources:
- group: ""
resources: ["namespaces", "limitranges", "resourcequotas"]
# Log pod creation, deletion, and modification events
- level: RequestResponse
verbs: ["create", "update", "patch", "delete"]
resources:
- group: ""
resources: ["pods"]
# Default: do not log anything else
- level: None
Step 2: Reference Policy and Configure Audit Log Rotation
Create or update the K3s API configuration:
Edit /etc/rancher/k3s/config.yaml.d/audit.yaml and set:
Command
vi /etc/rancher/k3s/config.yaml.d/audit.yamlYAML
kube-apiserver-arg:
- 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
- 'audit-policy-file=/etc/rancher/k3s/audit-policy.yaml'
- 'audit-log-maxage=30'
- 'audit-log-maxbackup=10'
- 'audit-log-maxsize=100'- audit-log-path: Where to store audit logs
- audit-policy-file: Path to the policy defined above
- audit-log-maxage: Maximum days to retain old logs
- audit-log-maxbackup: Number of backup files to keep
- audit-log-maxsize: Maximum size (MB) before log rotation
Step 3: Restart K3s
Restart K3s to apply the changes:
sudo systemctl restart k3sResult:
K3s will now audit and log key API operations (such as ConfigMap, Secret, workload, pod, service, RBAC, and namespace changes), with logs written to /var/lib/rancher/k3s/server/logs/audit.log and log rotation as per your policy.