集群审计仪表盘
所有文档
menu

容器引擎 CCE

集群审计仪表盘

产品详情自助选购

操作场景

容器引擎 CCE 为用户提供了开箱即用的审计仪表盘。在集群开启集群审计功能后,CCE 将自动为该集群配置审计操作总览仪表盘。同时内置 BLS 的全局检索,方便用户观测和检索各类集群操作,以便于及时发现和定位问题。CCE 集群审计操作总览仪表盘主要展示总审计记录数、操作用户数、活跃节点数、异常访问次数等。

前提条件

说明

  • 集群审计日志总览仪表盘,系统会自动为日志集配置索引,请不要修改索引字段,若更换索引字段会导致无法查看仪表盘数据。索引字段如下所示:
命名空间 操作用户 状态码 操作类型 资源对象 资源类型
字段名 namespace User.username ResponseStatus.code Verb ObjectRef.Name resource
索引 namespace User ResponseStatus Verb ObjectRef resource

操作步骤

集群审计中配置了审计操作总览、全局检索。请按照以下步骤进入集群审计页面,开始使用对应功能:

  1. 登录 容器引擎控制台
  2. 在左侧导航栏,选择 集群列表
  3. 在“集群列表”页面单击目标集群,进入集群管理页面。
  4. 在集群管理页面左侧导航栏中选择 安全管理-集群审计,开启集群审计功能,操作详情请参见 开启集群审计
  5. 进入审计操作总览页面,查看图表详情。

审计操作总览

当您想观测整个集群 APIServer 操作时,可在审计操作总览页面设置过滤条件,查看核心审计日志的汇总统计信息。例如,总审计日志的统计数、分布情况、重要操作趋势等。如下图所示:
image.png

您还可在该页面中查看更多统计信息,如下所示:

  • 集群审计日志的统计数仪表盘:
    image.png
  • 分布情况仪表盘:
    image.png
  • 重要操作趋势仪表盘:
    image.png

查询语句介绍

筛选条件说明

CCE集群审计操作总览仪表盘中的筛选条件说明如下所示:

  • 命名空间,所关联的BLS的查询分析语句如下所示:

    select distinct namespace
  • 操作用户,所关联的查询分析语句如下所示:

    select distinct User->"$.username"
  • 状态码,所关联的查询分析语句如下所示:

    select distinct `ResponseStatus`->"$.code"
  • 操作类型,所关联的查询分析语句如下所示:

    select distinct Verb
  • 资源对象,所关联的查询分析语句如下所示:

    select distinct ObjectRef->"$.Name"
  • 资源类型,所关联的查询分析语句如下所示:

    select distinct ObjectRef->"$.Resource"

重要图表说明

CCE日志审计中心仪表盘中重要图表说明如下所示:

  • 总审计记录数,所关联的查询分析语句如下所示:

    select count(1) as "记录数" 
  • 操作用户数,所关联的查询分析语句如下所示:

    select count(DISTINCT User->"$.username") as "用户数" 
  • 活跃节点数,所关联的查询分析语句如下所示:

    select count(DISTINCT User->"$.username") as "节点数" where (locate("system\:node\:", User->"$.username") = 1)
  • 异常访问次数,所关联的查询分析语句如下所示:

    select count(1) as "访问次数" where (User->"$.username" ="system:kube-scheduler") AND (ResponseStatus->"$.code" >= 400)
  • 敏感操作次数,所关联的查询分析语句如下所示:

    select count(1) as "操作次数" from log where (Verb = 'create' AND (`ObjectRef`->'$.Subresource' = 'exec')) OR (Verb = 'create' AND (`ObjectRef`->'$.Subresource' = 'attach') AND (`ObjectRef`->'$.Resource' = 'pods')) OR (Verb = 'get' AND (`User`->"$.username" != 'apiserver') AND (locate('system:node', `User`->"$.username") != 1) AND (`ObjectRef`->'$.Resource' = 'secrets')) OR (Verb = 'delete' AND (locate('system:node', `User`->"$.username") != 1) AND ((locate('system:serviceaccount:kube-system', `User`->"$.username")) != 1) AND ((`User`->"$.username") != 'system:apiserver') AND (locate('system:kube-scheduler', (`User`->"$.username")) != 1) AND (locate('system:kube-controller-manager', `User`->"$.username") != 1))
  • 创建操作次数,所关联的查询分析语句如下所示:

    select count(1) as "操作次数" from log where Verb = 'create'
  • 更新操作次数,所关联的查询分析语句如下所示:

    select count(1) as "操作次数" where Verb in ('update','patch')
  • 删除操作次数,所关联的查询分析语句如下所示:

    select count(1) as "操作次数" where Verb = 'delete'
  • 操作用户分布,所关联的查询分析语句如下所示:

    select `User`->"$.username" as `用户名`,count(*) as cn group by `用户名` order by cn desc
  • 命名空间分布,所关联的查询分析语句如下所示:

    select namespace as `命名空间`,count(*) as cn group by namespace order by cn desc
  • 资源类型分布,所关联的查询分析语句如下所示:

    select resource as `资源类型`,count(*) as cn group by resource order by cn desc
  • 操作类型分布,所关联的查询分析语句如下所示:

    select Verb as `操作类型`,count(*) as cn group by Verb order by cn desc
  • 状态码分布,所关联的查询分析语句如下所示:

    select `ResponseStatus`->"$.code" as `状态码`,count(*) as cn group by `状态码` order by cn desc
  • 节点操作分布,所关联的查询分析语句如下所示:

    select Verb as `操作类型`, count(*) as cn where `resource` = 'nodes' group by `操作类型`, `resource` order by cn desc
  • 工作负载操作分布,所关联的查询分析语句如下所示:

    select Verb as `操作类型`, count(*) as cn where `操作类型` in ('create', 'delete') and `resource` in ('deployments','statefulsets','daemonsets','jobs','cronjobs') group by `操作类型`, `resource` order by cn desc
  • Service/Ingress分布,所关联的查询分析语句如下所示:

    select Verb as `操作类型`,count(*) as cn where `操作类型` in ('create', 'delete') and `resource` in ('ingressess','services') group by `操作类型`,`resource`order by cn desc
  • 重要操作趋势,所关联的查询分析语句如下所示:

    select histogram(cast(@timestamp as timestamp),interval 1 minute) as t, Verb, count(1) as "操作次数" where Verb in  ('create','delete','update','patch')  group by t, Verb order by t limit 10000
  • 非系统用户操作趋势,所关联的查询分析语句如下所示:

    select histogram(cast(@timestamp as timestamp),interval 1 minute) as t, `User`->"$.username" as `用户名称`, count(1) as `count` where ((locate("system:", `User`->"$.username") = 0) AND ((`User`->"$.username") not like 'apiserver') AND ((`User`->"$.username") not like "kube-controller-manager") AND ((`User`->"$.username") not like "kube-apiserver-kubelet-client")) group by t, `用户名称` order by t limit 10000
上一篇
集群审计
下一篇
Java应用监控