Kubernetes API audit logs enabled on EKS-A clusters to be able to debug and log RBAC issues

[saiteja313]

What would you like to be added:

Currently, this can be enabled manually following the Log Backend configuration here:

https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/

EKSA Should allow configuring audit logging through EKS-A Cluster configuration file so that, manual modification to the API server config can be avoided.

Why is this needed:
Security and audit purposes.

As a EKSA Admin, I want to know who deleted a application pod or retrieved a secret value from Cluster using Audit logs.

[Cajga]

Hi @saiteja313 ,

API audit logging is enabled by default for the cloudstack, docker, tinkerbell (bare metal) and vsphere providers:

$ git remote -v
origin	[email protected]:aws/eks-anywhere.git (fetch)
origin	[email protected]:aws/eks-anywhere.git (push)
$ git pull
Already up to date.
$ grep api-audit.log pkg/providers/*/config/template-cp.yaml
pkg/providers/cloudstack/config/template-cp.yaml:          audit-log-path: /var/log/kubernetes/api-audit.log
pkg/providers/docker/config/template-cp.yaml:          audit-log-path: /var/log/kubernetes/api-audit.log
pkg/providers/tinkerbell/config/template-cp.yaml:          audit-log-path: /var/log/kubernetes/api-audit.log
pkg/providers/vsphere/config/template-cp.yaml:          audit-log-path: /var/log/kubernetes/api-audit.log

Note: the tinkerbell (bare metal) provider got enabled in v0.17.4 with this PR

Which provider are you using and which version of EKS-A?