By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Kubernetes AWS EKS: Find out which specific user ran a specific kubectl command?

0
mapUsers:
----
- userarn: arn:aws:iam::xxxxxxxxxx:user/username1
  username: username1
  groups:
    - system:masters
- userarn: arn:aws:iam::xxxxxxxxxxxx:user/username2
  username: username2
  groups:
    - system:masters
- userarn: arn:aws:iam::xxxxxxxxxxxx:user/username3
  username: username3
  groups:
    - system:masters

I have the above in kubectl -n kube-system describe configmap aws-auth

I'm using AWS EKS for kubernetes I have the above users in configmap aws-auth

Now if a user runs a kubectl command where will it be logged? How do I find out which user ran a particular kubectl command?

I tried looking at aws cloudtrail but can find only the event details and not the user who ran it. I also looked at aws eks control plane audit logs, there too I am not finding any reference to the above mentioned users

Thank

Topics
ContainersManagement & GovernanceCompute
Tags
Amazon Elastic Kubernetes ServiceAWS CloudTrailKubernetes
Language
English
Shanthi
asked 10 months ago548 views
1 Answer
2
Accepted Answer

Hello,

You can only use control plane audit logs to track which user ran a particular kubectl command. Use CloudWatch Logs Insights to query through the EKS control plane log data.

The example query below will retrieve all the Kubernetes operations performed by user in your cluster.

fields @timestamp, user.username as user, verb as action, objectRef.name as object
| filter @logStream like /^kube-apiserver-audit/
| filter user.username not like 'system:' 
| filter user.username not like 'eks:'
| filter verb not like 'watch'
| filter verb not like 'list'
| sort @timestamp desc

For example you can query all the activity performed by username1:

fields @logStream, @timestamp, @message
| filter @logStream like /^kube-apiserver-audit/
| filter strcontains(user.username,"username1")
| sort @timestamp desc
| limit 50

To view the logs in Amazon CloudWatch Logs, you must turn on Amazon EKS control plane logging. You can find EKS control plane logs in the /aws/eks/cluster-name/cluster log group.

References

AWS
Olawale
answered 10 months ago
profile picture
EXPERT
Sedat Salman
reviewed 10 months ago
profile picture
EXPERT
Hiroki Takahashi
reviewed 10 months ago
  • Shanthi
    10 months ago

    That worked excellent only thing is you should choose the time ranges too properly Thanks

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content