1 Answer
- Newest
- Most votes
- Most comments
2
Hello,
You can only use control plane audit logs to track which user ran a particular kubectl
command. Use CloudWatch Logs Insights to query through the EKS control plane log data.
The example query below will retrieve all the Kubernetes operations performed by user in your cluster.
fields @timestamp, user.username as user, verb as action, objectRef.name as object
| filter @logStream like /^kube-apiserver-audit/
| filter user.username not like 'system:'
| filter user.username not like 'eks:'
| filter verb not like 'watch'
| filter verb not like 'list'
| sort @timestamp desc
For example you can query all the activity performed by username1:
fields @logStream, @timestamp, @message
| filter @logStream like /^kube-apiserver-audit/
| filter strcontains(user.username,"username1")
| sort @timestamp desc
| limit 50
To view the logs in Amazon CloudWatch Logs, you must turn on Amazon EKS control plane logging. You can find EKS control plane logs in the /aws/eks/cluster-name/cluster log group.
References
answered 10 months ago
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
That worked excellent only thing is you should choose the time ranges too properly Thanks