Skip to content
A security monitoring solution for Kubernetes
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Kubernetes Security Dashboard

This guide assists in configuring a logging architecture for Kubernetes, meant to store and parse audit logs. After setting up the logging architecture, run K8sCop for static or streaming analysis, and import the security dashboard in Kibana to obtain full visibility over Kubernetes cluster activity.


  • Make the kube-apiserver store audit logs
  • Set up Elasticsearch and Kibana outside or inside Kubernetes
  • Deploy the Fluent daemon to push logs to Elasticsearch
  • Run K8sCop for static or streaming analysis of logs and labelling of events
  • Import and view the Security Dashboard in Kibana

Big Picture


kube-apiserver arguments

The kube-apiserver has the possiblity to keep and store audit logs. By adding the following arguments to the /etc/kubernetes/manifests/kube-apiserver.yaml file:

  - command:
    - kube-apiserver
    - --audit-policy-file=/etc/kubernetes/policies/adv-audit.yaml
    - --audit-log-path=/var/log/kubernetes/kube-apiserver-audit.log
    - --audit-log-format=json
    - mountPath: /etc/kubernetes/policies
      name: policies
      readOnly: true
    - mountPath: /var/log/kubernetes
 - hostPath:
   path: /etc/kubernetes/policies
   type: DirectoryOrCreate
  name: policies
- hostPath:
   path: /var/log/kubernetes
   type: DirectoryOrCreate
  name: var-log-kubernetes

An example configuration file can be found here. Create the policies directory in /etc/kubernetes and copy this yaml file to the newly created directory.

Setting up Elasticsearch and Kibana

Follow this very nice and detailed guide on DigitalOcean.

Deploying fluent


Create the mount directory for the fluent configuration:

# mkdir -p /var/share/volumes/fluent/etc

Add the files from the configs/fluent folder:

# cp Gemfile /var/share/volumes/fluent/.
# cp fluent.conf /var/share/volumes/fluent/etc/.

Change the environment variables to connect to the installed elasticsearch installation:

     - name: fluentd
        image: fluent/fluentd-kubernetes-daemonset:v1.1-debian-elasticsearch
            value: ""
            value: "9200"
            value: "http"
          - name: FLUENT_UID
            value: "0"
          - name: FLUENT_ELASTICSEARCH_USER # even if not used they are necessary
            value: "foo"
          - name: FLUENT_ELASTICSEARCH_PASSWORD # even if not used they are necessary
            value: "bar"


Apply the yaml configuration file:

$ kubectl apply -f fluentd-setup.yml

There should be a kube-logging namespace, containing a volume (claim), a fluent pod and service account.


To check the progress or to debug error messages, run the following command:

$ kubectl --namespace kube-logging logs fluent-[identifier] init-fluentd -f

This will stream the init containers' stdout/stderr while installing the required gems. Omit init-fluentd to stream the logs of the actual container.


K8sCop specifics are described here.

Security Dashboard


An overview of all requests made inside Kubernetes and a pie chart of user activity, computer by requests per user.

A pie chart of the different types of alerts and an overview of the latest alerts made by K8sCop.

An overview of shell commands executed and kubectl interaction, with a list of attempts at secrets retrieval and requests that have been unauthorised.

An overview of privileged pod spawning.

Importing the Dashboard

  • Navigate to the management interface of Kibana
  • Go into Saved Objects
  • Import the json objects file
You can’t perform that action at this time.