ContextYou must implement auditing for the kubeadm provisioned cluster.

1) Connect to the correct host

ssh cks000028

sudo -i

(If hostname differs in your exam, use the one shown in the question banner.)

2) Edit the API server static pod manifest

API server is a static pod in kubeadm.

vi /etc/kubernetes/manifests/kube-apiserver.yaml

3) Configure API server to enable auditing

Inside the command: section, ensure ALL of the following flags exist

(add them if missing, modify if present).

3.1 Use the given audit policy file

- --audit-policy-file=/etc/kubernetes/logpolicy/audit-policy.yaml

3.2 Store audit logs at the required location

- --audit-log-path=/var/log/kubernetes/audit-logs.txt

3.3 Retain a maximum of 2 log files

- --audit-log-maxbackup=2

3.4 Retain logs for 10 days

- --audit-log-maxage=10

✅ Example (your file may have more flags — that’s fine):

- command:

- kube-apiserver

- --audit-policy-file=/etc/kubernetes/logpolicy/audit-policy.yaml

- --audit-log-path=/var/log/kubernetes/audit-logs.txt

- --audit-log-maxbackup=2

- --audit-log-maxage=10

Save and exit:

wq

???? The API server will auto-restart (static pod).

Optional quick check:

docker ps | grep kube-apiserver

4) Edit and EXTEND the audit policy

Open the given basic policy:

vi /etc/kubernetes/logpolicy/audit-policy.yaml

The file already contains rules for what NOT to log.

You must ADD rules BELOW them (do not delete existing ones).

5) Add the required audit rules (EXACT ORDER)

Append the following rules in this order ⬇️

(order matters in audit policies).

5.1 Log namespaces interactions at RequestResponse

- level: RequestResponse

resources:

- group: ""

resources: ["namespaces"]

5.2 Log deployment request bodies in namespace webapps

- level: RequestResponse

namespaces: ["webapps"]

resources:

- group: "apps"

resources: ["deployments"]

5.3 Log ConfigMap and Secret interactions (all namespaces) at Metadata

- level: Metadata

resources:

- group: ""

resources: ["configmaps", "secrets"]

5.4 Log all other requests at Metadata

⚠️ This must be LAST

- level: Metadata

5.5 Final audit-policy.yaml should END like this

# (existing "do not log" rules above)

- level: RequestResponse

resources:

- group: ""

resources: ["namespaces"]

- level: RequestResponse

namespaces: ["webapps"]

resources:

- group: "apps"

resources: ["deployments"]

- level: Metadata

resources:

- group: ""

resources: ["configmaps", "secrets"]

- level: Metadata

Save and exit:

wq

6) Make sure API server uses the EXTENDED policy

Touch the manifest to guarantee reload:

touch /etc/kubernetes/manifests/kube-apiserver.yaml

Wait a few seconds.

7) Verify auditing is working

7.1 Check audit log file exists

ls -l /var/log/kubernetes/audit-logs.txt

7.2 Generate test activity

kubectl get namespaces

kubectl get configmaps -A

7.3 Confirm logs are written

tail -n 20 /var/log/kubernetes/audit-logs.txt

You should see audit entries.