Gardener Extension Auditing

Introduction

Gardener extension controller which deploys an auditlog forwarder sending Audit Events to configured backends.

Use Case

Kubernetes audit logs are essential for security investigations, compliance evidence, and operational troubleshooting. Long‑term storage, external analysis, SIEM ingestion, or near real‑time alerting requires that these audit events leave the cluster boundary in a reliable and secure way.

The Gardener auditing extension (type auditing) deploys and manages the auditlog-forwarder inside the control plane of a Shoot cluster. This webhook component receives the API server audit logs, enriches them with Gardener specific metadata and forwards the events to one or more remote backends.

Solution Overview

You configure an audit policy for the Shoot's kube-apiserver (via spec.kubernetes.kubeAPIServer.auditConfig.auditPolicy).
You enable the auditing extension on the Shoot and provide a list of forwarding backends in providerConfig.
The extension reconciler deploys the auditlog-forwarder Deployment plus supporting objects (ServiceAccount, RBAC, VPA, etc.) into the Shoot namespace in the Seed cluster.
The forwarder receives audit events from the kube-apiserver (sent over HTTPS on a webhook endpoint), enriches them with Gardener specific metadata and sends them to the configured remote endpoints.

Data Flow

kube-apiserver -> auditlog-forwarder -> external receiver(s)

Features

Multiple backends (fan‑out) – each event is attempted to be delivered to all configured backends. (this function is currently limited to a single backend)
HTTPS delivery via mutual TLS.

NOTE

Current API focuses on HTTP(S) backends. Future versions may add additional backend types (e.g. OTLP).

Usage

Configuring the Auditing Extension - learn how to enable and configure the auditing extension for shoot clusters
Audit Event Format - understand the format of audit events and Gardener-specific annotations

Operations

Configuring the Auditing Extension (Garden) - learn how to enable and configure the auditing extension for garden clusters

Local Setup and Development

Deploying Auditing Extension Locally - learn how to set up a local development environment

Contributing

Please see CONTRIBUTING.md for guidelines on how to contribute to this project.

Resources

Provider Alibaba Cloud

Tutorials

Kubernetes cluster on alicloud with gardener

Provider AWS

Tutorials

Provider Azure

Tutorials

Kubernetes cluster on azure with gardener

Provider Equinix Metal

Provider GCP

Tutorials

Kubernetes cluster on gcp with gardener

proposals

Provider OpenStack

CoreOS/FlatCar OS

SUSE CHost OS

Ubuntu OS

Calico CNI

Cilium CNI

Kubernetes Auditing

Api Reference

Registry Cache

Registry cache

registry-mirror

Certificate Services

Tutorials

DNS Services

Tutorials

Lakom Service

Egress Filtering

Networking Problem Detector

OpenID Connect Services

Node Audit Logging

Concepts

Deployment

Concepts

Deployment

Getting started locally

Proposals

Documents

Proposals

To-Do

Style Guide

Gardener Extension Auditing ​

Introduction ​

Use Case ​

Solution Overview ​

Data Flow ​

Features ​

Usage ​

Operations ​

Local Setup and Development ​

Contributing ​

Gardener Extension Auditing

Introduction

Use Case

Solution Overview

Data Flow

Features

Usage

Operations

Local Setup and Development

Contributing