集群审计仪表盘
更新时间:2025-04-02
操作场景
容器引擎 CCE 为用户提供了开箱即用的审计仪表盘。在集群开启集群审计功能后,CCE 将自动为该集群配置审计操作总览仪表盘。同时内置 BLS 的全局检索,方便用户观测和检索各类集群操作,以便于及时发现和定位问题。CCE 集群审计操作总览仪表盘主要展示总审计记录数、操作用户数、活跃节点数、异常访问次数等。
前提条件
说明
- 集群审计日志总览仪表盘,系统会自动为日志集配置索引,请不要修改索引字段,若更换索引字段会导致无法查看仪表盘数据。索引字段如下所示:
命名空间 操作用户 状态码 操作类型 资源对象 资源类型 字段名 namespace User.username ResponseStatus.code Verb ObjectRef.Name resource 索引 namespace User ResponseStatus Verb ObjectRef resource
操作步骤
集群审计中配置了审计操作总览、全局检索。请按照以下步骤进入集群审计页面,开始使用对应功能:
- 登录 容器引擎控制台。
- 在左侧导航栏,选择 集群列表。
- 在“集群列表”页面单击目标集群,进入集群管理页面。
- 在集群管理页面左侧导航栏中选择 安全管理-集群审计,开启集群审计功能,操作详情请参见 开启集群审计。
- 进入审计操作总览页面,查看图表详情。
审计操作总览
当您想观测整个集群 APIServer 操作时,可在审计操作总览页面设置过滤条件,查看核心审计日志的汇总统计信息。例如,总审计日志的统计数、分布情况、重要操作趋势等。如下图所示:
您还可在该页面中查看更多统计信息,如下所示:
- 集群审计日志的统计数仪表盘:
- 分布情况仪表盘:
- 重要操作趋势仪表盘:
查询语句介绍
筛选条件说明
CCE集群审计操作总览仪表盘中的筛选条件说明如下所示:
-
命名空间,所关联的BLS的查询分析语句如下所示:
Plain Text1select distinct namespace -
操作用户,所关联的查询分析语句如下所示:
Plain Text1select distinct User->"$.username" -
状态码,所关联的查询分析语句如下所示:
Plain Text1select distinct `ResponseStatus`->"$.code" -
操作类型,所关联的查询分析语句如下所示:
Plain Text1select distinct Verb -
资源对象,所关联的查询分析语句如下所示:
Plain Text1select distinct ObjectRef->"$.Name" -
资源类型,所关联的查询分析语句如下所示:
Plain Text1select distinct ObjectRef->"$.Resource"
重要图表说明
CCE日志审计中心仪表盘中重要图表说明如下所示:
-
总审计记录数,所关联的查询分析语句如下所示:
Plain Text1select count(1) as "记录数" -
操作用户数,所关联的查询分析语句如下所示:
Plain Text1select count(DISTINCT User->"$.username") as "用户数" -
活跃节点数,所关联的查询分析语句如下所示:
Plain Text1select count(DISTINCT User->"$.username") as "节点数" where (locate("system\:node\:", User->"$.username") = 1) -
异常访问次数,所关联的查询分析语句如下所示:
Plain Text1select count(1) as "访问次数" where (User->"$.username" ="system:kube-scheduler") AND (ResponseStatus->"$.code" >= 400) -
敏感操作次数,所关联的查询分析语句如下所示:
Plain Text1select count(1) as "操作次数" from log where (Verb = 'create' AND (`ObjectRef`->'$.Subresource' = 'exec')) OR (Verb = 'create' AND (`ObjectRef`->'$.Subresource' = 'attach') AND (`ObjectRef`->'$.Resource' = 'pods')) OR (Verb = 'get' AND (`User`->"$.username" != 'apiserver') AND (locate('system:node', `User`->"$.username") != 1) AND (`ObjectRef`->'$.Resource' = 'secrets')) OR (Verb = 'delete' AND (locate('system:node', `User`->"$.username") != 1) AND ((locate('system:serviceaccount:kube-system', `User`->"$.username")) != 1) AND ((`User`->"$.username") != 'system:apiserver') AND (locate('system:kube-scheduler', (`User`->"$.username")) != 1) AND (locate('system:kube-controller-manager', `User`->"$.username") != 1)) -
创建操作次数,所关联的查询分析语句如下所示:
Plain Text1select count(1) as "操作次数" from log where Verb = 'create' -
更新操作次数,所关联的查询分析语句如下所示:
Plain Text1select count(1) as "操作次数" where Verb in ('update','patch') -
删除操作次数,所关联的查询分析语句如下所示:
Plain Text1select count(1) as "操作次数" where Verb = 'delete' -
操作用户分布,所关联的查询分析语句如下所示:
Plain Text1select `User`->"$.username" as `用户名`,count(*) as cn group by `用户名` order by cn desc -
命名空间分布,所关联的查询分析语句如下所示:
Plain Text1select namespace as `命名空间`,count(*) as cn group by namespace order by cn desc -
资源类型分布,所关联的查询分析语句如下所示:
Plain Text1select resource as `资源类型`,count(*) as cn group by resource order by cn desc -
操作类型分布,所关联的查询分析语句如下所示:
Plain Text1select Verb as `操作类型`,count(*) as cn group by Verb order by cn desc -
状态码分布,所关联的查询分析语句如下所示:
Plain Text1select `ResponseStatus`->"$.code" as `状态码`,count(*) as cn group by `状态码` order by cn desc -
节点操作分布,所关联的查询分析语句如下所示:
Plain Text1select Verb as `操作类型`, count(*) as cn where `resource` = 'nodes' group by `操作类型`, `resource` order by cn desc -
工作负载操作分布,所关联的查询分析语句如下所示:
Plain Text1select Verb as `操作类型`, count(*) as cn where `操作类型` in ('create', 'delete') and `resource` in ('deployments','statefulsets','daemonsets','jobs','cronjobs') group by `操作类型`, `resource` order by cn desc -
Service/Ingress分布,所关联的查询分析语句如下所示:
Plain Text1select Verb as `操作类型`,count(*) as cn where `操作类型` in ('create', 'delete') and `resource` in ('ingressess','services') group by `操作类型`,`resource`order by cn desc -
重要操作趋势,所关联的查询分析语句如下所示:
Plain Text1select histogram(cast(@timestamp as timestamp),interval 1 minute) as t, Verb, count(1) as "操作次数" where Verb in ('create','delete','update','patch') group by t, Verb order by t limit 10000 -
非系统用户操作趋势,所关联的查询分析语句如下所示:
Plain Text1select histogram(cast(@timestamp as timestamp),interval 1 minute) as t, `User`->"$.username" as `用户名称`, count(1) as `count` where ((locate("system:", `User`->"$.username") = 0) AND ((`User`->"$.username") not like 'apiserver') AND ((`User`->"$.username") not like "kube-controller-manager") AND ((`User`->"$.username") not like "kube-apiserver-kubelet-client")) group by t, `用户名称` order by t limit 10000