Skip to content

Audit Trail

In environments where users and systems have access to the Kube API server, it is critical from a Security and Governance perspective to be able to answer questions like the following:

  • Who can do what?
  • Who did what and when?
  • Which resources were operated on, by whom and when?
  • How did they access?

The ideal solution for this is "RBAC and Auditing". All activity performed using Rafay's "Zero Trust KubeCTL Proxy" is audited at the Rafay Controller.


KubeCTL Audit

  • Login into the Rafay Console as an Org Admin
  • Click on System and Audit Logs
  • Select the KubeCTL Logs tab

Users are presented with a near real-time view of activity being performed via the "Kube API Server Proxy". The following information is presented to the users. They are also provided useful filters so that they can quickly sort and zero in on the details they require.

  • Date: When the activity was performed
  • User: The user that performed it
  • Cluster: The cluster that was accessed
  • Namespace: The target namespace on the cluster
  • Resource: The k8s resource that was accessed
  • Method: GET, POST, DELETE, PATCH
  • Access Method: rafay system (Browser based) or KubeCTL CLI
  • Details: Additional data that may be useful for users

KubeCTL Audit

Important

Rafay will not have visibility into activity on the Kube API Server that may be performed directly against it bypassing the Controller.


Duration

For every operation processed by Rafay's "Kube API Server Proxy", the "duration" for the end-to-end operation is captured and displayed in the "Details" column in the audit logs. i.e. this is the response time for the API. Note that a single KubeCTL command may translate to 10s of API calls underneath the covers.

This data can be useful in helping administrators validate the user experience benefits with Rafay's zero trust, secure, direct access to clusters vs latency and performance issues experienced due to bastions and VPNs.