modules/microshift-viewing-audit-logs.adoc

// Module included in the following assemblies:
//
//microshift_troubleshooting/microshift-audit-logs.adoc

:_mod-docs-content-type: PROCEDURE
[id="microshift-security-context-constraints-alert-eval_{context}"]
= Identifying pod security violations through audit logs

You can identify pod security admission violations on a workload by viewing the server audit logs. The following procedure shows you how to access the audit logs and parse them to find pod security admission violations in a workload.

.Prerequisites

* You have installed `jq`.
* You have root access to the node.

.Procedure

. To retrieve the node name, run the following command:
+
[source,terminal]
----
$ <node_name>=$(oc get node -ojsonpath='{.items[0].metadata.name}')
----
//output example?

. To view the audit logs, run the following command:
+
[source,terminal]
----
$ oc adm node-logs <node_name> --path=kube-apiserver/ <1>
----
<1> Replace _<node_name>_ with the name of the node retrieved from the previous step.
+
.Example output
[source,terminal]
----
rhel-94.lab.local audit-2024-10-18T18-25-41.663.log
rhel-94.lab.local audit-2024-10-19T11-21-29.225.log
rhel-94.lab.local audit-2024-10-20T04-16-09.622.log
rhel-94.lab.local audit-2024-10-20T21-11-41.163.log
rhel-94.lab.local audit-2024-10-21T14-06-10.402.log
rhel-94.lab.local audit-2024-10-22T06-35-10.392.log
rhel-94.lab.local audit-2024-10-22T23-26-27.667.log
rhel-94.lab.local audit-2024-10-23T16-52-15.456.log
rhel-94.lab.local audit-2024-10-24T07-31-55.238.log
----

. To parse the affected audit logs, enter the following command:
+
[source,terminal]
----
$ oc adm node-logs <node_name> --path=kube-apiserver/audit.log \
  | jq -r 'select((.annotations["pod-security.kubernetes.io/audit-violations"] != null) and (.objectRef.resource=="pods")) | .objectRef.namespace + " " + .objectRef.name + " " + .objectRef.resource' \
  | sort | uniq -c <1>
----
<1> Replace _<node_name>_ with the name of the node retrieved from the previous step.
OSDOCS#7431:Viewing audit logs in troubleshooting MicroShift docs 2023-07-25 11:52:34 -04:00			`// Module included in the following assemblies:`
			`//`
			`//microshift_troubleshooting/microshift-audit-logs.adoc`

[enterprise-4.14] changing content type attribute 2023-10-30 10:13:25 -04:00			`:_mod-docs-content-type: PROCEDURE`
OSDOCS#7431:Viewing audit logs in troubleshooting MicroShift docs 2023-07-25 11:52:34 -04:00			`[id="microshift-security-context-constraints-alert-eval_{context}"]`
			`= Identifying pod security violations through audit logs`

			`You can identify pod security admission violations on a workload by viewing the server audit logs. The following procedure shows you how to access the audit logs and parse them to find pod security admission violations in a workload.`

			`.Prerequisites`

			* You have installed `jq`.
OSDOCS-16338: fixes cluster mentions MicroShift 2025-09-30 07:55:42 -04:00			`* You have root access to the node.`
OSDOCS#7431:Viewing audit logs in troubleshooting MicroShift docs 2023-07-25 11:52:34 -04:00
			`.Procedure`

OSDOCS-8012: fix attribute for microshift 2023-10-12 09:27:44 -04:00			`. To retrieve the node name, run the following command:`
OSDOCS#7431:Viewing audit logs in troubleshooting MicroShift docs 2023-07-25 11:52:34 -04:00			`+`
			`[source,terminal]`
			`----`
			`$ <node_name>=$(oc get node -ojsonpath='{.items[0].metadata.name}')`
			`----`
OSDOCS-12116: clarify user-replaceable values for procedure 2024-10-09 12:54:37 -04:00			`//output example?`

OSDOCS#7431:Viewing audit logs in troubleshooting MicroShift docs 2023-07-25 11:52:34 -04:00			`. To view the audit logs, run the following command:`
			`+`
			`[source,terminal]`
			`----`
OSDOCS-12116: clarify user-replaceable values for procedure 2024-10-09 12:54:37 -04:00			`$ oc adm node-logs <node_name> --path=kube-apiserver/ <1>`
OSDOCS#7431:Viewing audit logs in troubleshooting MicroShift docs 2023-07-25 11:52:34 -04:00			`----`
OSDOCS-12116: clarify user-replaceable values for procedure 2024-10-09 12:54:37 -04:00			`<1> Replace _<node_name>_ with the name of the node retrieved from the previous step.`
OSDOCS#7431:Viewing audit logs in troubleshooting MicroShift docs 2023-07-25 11:52:34 -04:00			`+`
			`.Example output`
			`[source,terminal]`
			`----`
OSDOCS-12116: clarify user-replaceable values for procedure 2024-10-09 12:54:37 -04:00			`rhel-94.lab.local audit-2024-10-18T18-25-41.663.log`
			`rhel-94.lab.local audit-2024-10-19T11-21-29.225.log`
			`rhel-94.lab.local audit-2024-10-20T04-16-09.622.log`
			`rhel-94.lab.local audit-2024-10-20T21-11-41.163.log`
			`rhel-94.lab.local audit-2024-10-21T14-06-10.402.log`
			`rhel-94.lab.local audit-2024-10-22T06-35-10.392.log`
			`rhel-94.lab.local audit-2024-10-22T23-26-27.667.log`
			`rhel-94.lab.local audit-2024-10-23T16-52-15.456.log`
			`rhel-94.lab.local audit-2024-10-24T07-31-55.238.log`
OSDOCS#7431:Viewing audit logs in troubleshooting MicroShift docs 2023-07-25 11:52:34 -04:00			`----`

			`. To parse the affected audit logs, enter the following command:`
OSDOCS-8012: fix attribute for microshift 2023-10-12 09:27:44 -04:00			`+`
OSDOCS#7431:Viewing audit logs in troubleshooting MicroShift docs 2023-07-25 11:52:34 -04:00			`[source,terminal]`
			`----`
			`$ oc adm node-logs <node_name> --path=kube-apiserver/audit.log \`
			`\| jq -r 'select((.annotations["pod-security.kubernetes.io/audit-violations"] != null) and (.objectRef.resource=="pods")) \| .objectRef.namespace + " " + .objectRef.name + " " + .objectRef.resource' \`
OSDOCS-12116: clarify user-replaceable values for procedure 2024-10-09 12:54:37 -04:00			`\| sort \| uniq -c <1>`
			`----`
			`<1> Replace _<node_name>_ with the name of the node retrieved from the previous step.`