Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI

Enable Cluster Auditing with Simple Log Service

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: AlibabaCloud-ACK-001

Ensure that cluster auditing with Simple Log Service is enabled for your Container Service for Kubernetes (ACK) clusters. Simple Log Service is a comprehensive real-time data logging solution, facilitating the seamless handling of log collection, shipping, search, storage, and analysis. The service provides a user-friendly interface for accessing the Log Viewer and an API for efficient log management. Simple Log Service automatically captures, processes, and stores container and audit logs in a dedicated persistent datastore, collecting container logs from your containers and audit logs from kube-apiserver or deployed ingress, including cluster activity events.

Security

Enabling Simple Log Service for ACK cluster auditing centralizes log collection, provides search and analysis capabilities, and enables correlation of logs across different ACK resources, facilitating better troubleshooting, performance monitoring, and root cause identification.

Audit

To determine if cluster auditing with Simple Log Service is enabled for your ACK clusters, perform the following operations:

Using Alibaba Cloud Console

  1. Sign in to your Alibaba Cloud account.

  2. Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

  3. In the left navigation panel, under Overview, choose Clusters.

  4. Click on the name (link) of the ACK cluster that you want to examine, listed in the Cluster Name/ID column.

  5. In the ACK resource navigation panel, under Security, choose Cluster Auditing.

  6. Check the Cluster Auditing dashboard available for the selected cluster. If there is no Cluster Auditing dashboard available, instead a Get Started page with the following message is displayed: Enable Cluster Auditing Now - The Log Service or Cluster Auditing feature is not enabled on the current cluster., cluster auditing with Simple Log Service is not enabled for the selected ACK cluster.

  7. Repeat steps no. 4 – 6 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

  1. Run GET /clusters command (OSX/Linux/UNIX) to describe the configuration details for each Container Service for Kubernetes (ACK) cluster provisioned in your Alibaba Cloud account:

    aliyun cs GET /clusters
  --header "Content-Type=application/json;"
  --body "{}"

  2. The command output should return the configuration information available for each available ACK cluster (including the cluster ID, i.e. "cluster_id"):

    [
	{
		"cluster_id": "abcd1234abcd1234abcd1234abcd1234a",
		"cluster_spec": "ack.standard",
		"cluster_type": "ManagedKubernetes",
		"created": "2024-02-05T17:44:26+08:00",
		"current_version": "1.28.3-aliyun.1",
		"deletion_protection": false,
		"init_version": "1.28.3-aliyun.1",
		"profile": "Default",
		"region_id": "eu-west-1",
		"size": 1,
		"state": "running",
		"updated": "2024-02-05T17:46:49+08:00",
		"zone_id": "eu-west-1a"
	},

	...

	{
		"cluster_id": "1234abcd1234abcd1234abcd1234abcd1",
		"cluster_spec": "ack.standard",
		"cluster_type": "ManagedKubernetes",
		"created": "2024-02-05T16:40:31+08:00",
		"current_version": "1.28.3-aliyun.1",
		"deletion_protection": false,
		"init_version": "1.28.3-aliyun.1",
		"profile": "Default",
		"region_id": "eu-west-1",
		"size": 1,
		"state": "running",
		"subnet_cidr": "10.65.0.0/16",
		"updated": "2024-02-05T16:42:53+08:00",
		"zone_id": "eu-west-1a"
	}
]

  3. Run GET /clusters/[cluster_id] command (OSX/Linux/UNIX) with the ID of the ACK cluster that you want to examine as the identifier parameter, to describe the configuration metadata available for the selected cluster:

    aliyun cs GET /clusters/abcd1234abcd1234abcd1234abcd1234a
  --header "Content-Type=application/json;"
  --body "{}"
  --output cols=meta_data

  4. The command output should return the configuration metadata available for the selected ACK resource:

    {
	"Addons": [
		{
			"name": "gateway-api",
			"version": "1.0.1"
		},
		{
			"name": "cloud-controller-manager",
			"version": "v2.8.1-mgk"
		},
		{
			"disabled": true,
			"name": "nginx-ingress-controller"
		},
		{
			"name": "ack-scheduler",
			"version": "v1.28.3-aliyun-6.3.5b0d1234"
		},
		{
			"config": "{\"ENITrunking\":\"false\",\"IPVlan\":\"false\",\"NetworkPolicy\":\"false\"}",
			"name": "terway-eniip",
			"version": "v1.6.3"
		}
	],

	...

	"AuditProjectName": "",

	...

	"CloudMonitorVersion": "",
	"DockerVersion": "",
	"EtcdVersion": "v3.5.9",
	"ExtraCertSAN": null,
	"HasSandboxRuntime": false,
	"IPStack": "ipv4",
	"ImageType": "AliyunLinux3",
	"KubernetesVersion": "1.28.3-aliyun.1",
	"Timezone": "",
	"VSwitchIds": null,
	"VersionSpec": null,
	"alicloud-monitor-controllerVersion": "v1.8.4",
	"cloud-controller-managerVersion": "v2.8.1",
	"corednsVersion": "v1.9.3.10-7dfca203-aliyun",
	"csi-pluginVersion": "v1.28.3-eb95171-aliyun",
	"csi-provisionerVersion": "v1.28.3-eb95171-aliyun",
	"gateway-apiVersion": "1.0.1",
	"kube-apiserverVersion": "v1.28.3-aliyun.1",
	"kube-controller-managerVersion": "v1.28.3-aliyun.1",
	"metrics-serverVersion": "v0.3.9.7-85b3699-aliyun",
	"storage-operatorVersion": "v1.28.2-be0cf84-aliyun",
	"terway-eniipVersion": "v1.6.3"
}

    Check the "AuditProjectName" attribute value to identify the Simple Log Service project configured for cluster auditing. If the "AuditProjectName" attribute has no value (i.e. ""), there is no Simple Log Service project configured to collect audit logs for the specified cluster, therefore cluster auditing with Simple Log Service is not enabled for the selected ACK cluster.

Remediation / Resolution

To enable cluster auditing with Simple Log Service for your Container Service for Kubernetes (ACK) clusters, perform the following operations:

Enabling ACK cluster auditing via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

  1. Sign in to your Alibaba Cloud account.

  2. Navigate to Simple Log Service console available at https://sls.console.aliyun.com.

  3. Choose Create Project to create a new Simple Log Service project for managing your ACK cluster audit logs.

  4. On the Create Project setup page, provide a unique name for your new project, select the region where your ACK cluster resides, choose the appropriate resource group and logging level, and select Create to create your new Simple Log Service project.

  5. Choose Create Logstore and follow the setup wizard to create a Logstore for log data storage.

  6. Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

  7. In the left navigation panel, under Overview, choose Clusters.

  8. Click on the name (link) of the ACK cluster that you want to configure, listed in the Cluster Name/ID column.

  9. In the ACK resource navigation panel, under Security, choose Cluster Auditing.

  10. Select the name of your Simple Log Service project from the Log Service Project Name dropdown list and choose Enable to enable cluster auditing with Simple Log Service for the selected ACK cluster.

  11. Repeat steps no. 8 – 10 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

References

Publication date Feb 22, 2024

Related AlibabaCloud-ACK rules