Skills Engineering WizTelemetry KubeSphere Audit Logging

WizTelemetry KubeSphere Audit Logging

v20260506
whizard-auditing
This component is an essential extension for KubeSphere Observability Platform, designed for comprehensive collection, processing, and storage of Kubernetes and KubeSphere audit events. It supports various sinks, including OpenSearch and Doris, and provides an API for querying historical audit data, ensuring robust auditing capabilities for platform operations.
Get Skill
349 downloads
Overview

WizTelemetry Auditing

Overview

WizTelemetry Auditing is an extension component in the KubeSphere Observability Platform for Kubernetes and KubeSphere audit event collection, processing, and storage.

When to Use

  • Installing or configuring the WizTelemetry Auditing extension
  • Understanding audit event collection architecture
  • Using the audit query API to query audit events

Components

Component Description Default Enabled
kube-auditing Kubernetes audit event collection and export true

Dependencies

  • WizTelemetry Platform Service (whizard-telemetry): Required
  • WizTelemetry Data Pipeline (vector): Required

Installation

Prerequisites

REQUIRED: Complete all steps in order before generating InstallPlan.

Step 1: Get Available Clusters and Confirm Target

⚠️ CRITICAL: DO NOT proceed until target clusters are determined.

Step 1.1: Get available clusters

kubectl get clusters -o jsonpath='{.items[*].metadata.name}'

Step 1.2: Determine target clusters

  • If user explicitly specified target clusters in the request → Use those clusters directly, proceed to Step 2
  • If user did NOT specify target clusters → Ask user to confirm which clusters to deploy to, then proceed to Step 2

Ask user (if not specified):

Available clusters: host, dev
Which clusters do you want to deploy WizTelemetry Auditing to?

Step 2: Get Latest Version (if not provided by user)

MUST do this to get the latest version:

kubectl get extensionversions -l kubesphere.io/extension-ref=whizard-auditing -o jsonpath='{range .items[*]}{.spec.version}{"\n"}{end}' | sort -V | tail -1

This outputs the latest version (e.g., 1.4.0). Note this down - you'll use it in the InstallPlan.

Install WizTelemetry Auditing

⚠️ IMPORTANT: Complete prerequisite steps BEFORE this step.

Based on your selections:

  • Target clusters: User-confirmed cluster names

⚠️ CRITICAL: InstallPlan metadata.name MUST be whizard-auditing. DO NOT use any other name.

⚠️ CRITICAL: config field is YAML format. You MUST:

  • Use the config structure exactly as shown in the template
  • DO NOT add configuration fields that are not shown in the template
  • DO NOT modify the structure or hierarchy

⚠️ CRITICAL: All placeholders MUST be replaced with actual values. DO NOT leave them as placeholders.

Template

apiVersion: kubesphere.io/v1alpha1
kind: InstallPlan
metadata:
  name: whizard-auditing
spec:
  extension:
    name: whizard-auditing
    version: <VERSION>  # From Step 2
  enabled: true
  upgradeStrategy: Manual
  clusterScheduling:
    placement:
      clusters:
        - <TARGET_CLUSTERS>

Replace placeholders:

  • <VERSION>: From Step 2 (e.g., 1.4.0)
  • <TARGET_CLUSTERS>: User-confirmed cluster names

Note: OpenSearch sink configuration (endpoints, auth) is provided by the vector extension. Make sure vector is installed and configured with OpenSearch before installing auditing.

Enable Doris Sink

To enable Doris sink for audit storage:

apiVersion: kubesphere.io/v1alpha1
kind: InstallPlan
metadata:
  name: whizard-auditing
spec:
  extension:
    name: whizard-auditing
    version: <VERSION>  # From Step 2
  enabled: true
  upgradeStrategy: Manual
  config: |
    kube-auditing:
      sinks:
        opensearch:
          enabled: true
          index:
            prefix: "{{ .cluster }}-auditing"
            timestring: "%Y.%m.%d"
        doris:
          enabled: true
          fe: <DORIS_FE>
          be: <DORIS_BE>
          table:
            partitionUnit: DAY
            retentionPartition: 7
            replicationNum: 2
  clusterScheduling:
    placement:
      clusters:
        - <TARGET_CLUSTERS>

Enable ISM Policy

apiVersion: kubesphere.io/v1alpha1
kind: InstallPlan
metadata:
  name: whizard-auditing
spec:
  extension:
    name: whizard-auditing
    version: <VERSION>  # From Step 2
  enabled: true
  upgradeStrategy: Manual
  config: |
    kube-auditing:
      sinks:
        opensearch:
          enabled: true
          index:
            prefix: "{{ .cluster }}-auditing"
            timestring: "%Y.%m.%d"
      ism_policy:
        enable: true
        min_index_age: "7d"
  clusterScheduling:
    placement:
      clusters:
        - <TARGET_CLUSTERS>

Configuration Parameters

OpenSearch Sink Parameters

Parameter Type Default Description
kube-auditing.sinks.opensearch.enabled bool true Enable OpenSearch sink
kube-auditing.sinks.opensearch.index.prefix string "{{ .cluster }}-auditing" Index prefix
kube-auditing.sinks.opensearch.index.timestring string "%Y.%m.%d" Index time format

Doris Sink Parameters

Parameter Type Default Description
kube-auditing.sinks.doris.enabled bool false Enable Doris sink
kube-auditing.sinks.doris.fe string "" Doris Frontend address
kube-auditing.sinks.doris.be string "" Doris Backend address
kube-auditing.sinks.doris.table.partitionUnit string DAY Partition unit
kube-auditing.sinks.doris.table.retentionPartition int 7 Retention partition
kube-auditing.sinks.doris.table.replicationNum int 2 Replication number

ISM Policy Parameters

Parameter Type Default Description
kube-auditing.ism_policy.enable bool false Enable Index State Management policy
kube-auditing.ism_policy.min_index_age string "7d" Minimum index retention period

Audit Query API

Query Audit Events

curl -X GET "http://whizard-telemetry-apiserver.extension-whizard-telemetry.svc:80/kapis/logging.kubesphere.io/v1alpha2/auditing?operation=query&sort=desc&size=10&cluster=host" \
  -H "X-Remote-User: admin"

Query Parameters:

Parameter Type Default Description
operation string query Operation type: query/statistics/histogram/export
workspace_filter string Comma-separated list of workspaces
workspace_search string Fuzzy match workspace names
objectref_namespace_filter string Comma-separated list of namespaces (ObjectRef.Namespace)
objectref_namespace_search string Fuzzy match namespace names
objectref_name_filter string Comma-separated list of object names
objectref_name_search string Fuzzy match object names
level_filter string Audit level: Metadata/Request/RequestResponse
verb_filter string Comma-separated list of verbs (create, update, delete, etc.)
user_filter string Comma-separated list of users
user_search string Fuzzy match username
group_search string Fuzzy match user groups
source_ip_search string Fuzzy match source IPs
objectref_resource_filter string Comma-separated list of resources
objectref_subresource_filter string Comma-separated list of subresources
response_code_filter string Comma-separated list of response codes
response_status_filter string Comma-separated list of response statuses
start_time string Start time (seconds since epoch)
end_time string End time (seconds since epoch)
interval string 15m Time interval for histogram
sort string desc Sort order: asc/desc
from int 0 Offset
size int 10 Number of results
cluster string host Cluster name

Extension Operations

Check Extension Status

kubectl get installplan whizard-auditing
kubectl get extensionversions -l kubesphere.io/extension-ref=whizard-auditing

Uninstall Extension

Uninstall from all clusters:

kubectl delete installplan whizard-auditing

Uninstall from specific cluster:

To remove WizTelemetry Auditing from a specific cluster, update the InstallPlan by removing that cluster from clusterScheduling.placement.clusters:

apiVersion: kubesphere.io/v1alpha1
kind: InstallPlan
metadata:
  name: whizard-auditing
spec:
  extension:
    name: whizard-auditing
    version: <VERSION>
  enabled: true
  upgradeStrategy: Manual
  clusterScheduling:
    placement:
      clusters:
        - <REMAINING_CLUSTERS>  # Remove the cluster you want to uninstall from
Info
Category Engineering
Name whizard-auditing
Version v20260506
Size 8.6KB
Updated At 2026-05-08
Language