1 回答
- 最新
- 投票最多
- 评论最多
2
Hello,
You can only use control plane audit logs to track which user ran a particular kubectl
command. Use CloudWatch Logs Insights to query through the EKS control plane log data.
The example query below will retrieve all the Kubernetes operations performed by user in your cluster.
fields @timestamp, user.username as user, verb as action, objectRef.name as object
| filter @logStream like /^kube-apiserver-audit/
| filter user.username not like 'system:'
| filter user.username not like 'eks:'
| filter verb not like 'watch'
| filter verb not like 'list'
| sort @timestamp desc
For example you can query all the activity performed by username1:
fields @logStream, @timestamp, @message
| filter @logStream like /^kube-apiserver-audit/
| filter strcontains(user.username,"username1")
| sort @timestamp desc
| limit 50
To view the logs in Amazon CloudWatch Logs, you must turn on Amazon EKS control plane logging. You can find EKS control plane logs in the /aws/eks/cluster-name/cluster log group.
References
已回答 1 年前
相关内容
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 3 年前
That worked excellent only thing is you should choose the time ranges too properly Thanks