A method for generating an audit log and related components
By deploying an Agent container and a Webhook storage terminal of the cloud management platform in the K8s working cluster, audit logs are automatically monitored and generated, solving the problems of low efficiency and high error rate of manual audit log compilation, and achieving efficient and accurate audit log generation.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- JINAN INSPUR DATA TECH CO LTD
- Filing Date
- 2022-07-29
- Publication Date
- 2026-06-26
AI Technical Summary
In existing technologies, the generation of Kubernetes audit logs mainly relies on manual operation, which leads to low efficiency and high error rate, and cannot efficiently and accurately record the operation records of the Kubernetes cluster.
By deploying an Agent container in a Kubernetes worker cluster, user request commands are received, actions of target resource objects are automatically monitored, and audit logs are generated. The Webhook storage of the cloud management platform is used to filter and store the audit logs, thereby improving the efficiency and accuracy of audit log generation.
It enables automated generation of audit logs, reducing the inefficiency and error rate of manual compilation, improving the efficiency and accuracy of audit log generation, and simplifying the difficulty for users to understand complex fields.
Smart Images

Figure CN115237541B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and in particular to a method for generating audit logs and related components. Background Technology
[0002] In version 1.7, Kubernetes (K8s) introduced an audit log feature. Audit logs provide a time-series record of security-related operations (including time, source, operation result, user initiating the operation, resource involved, and detailed request / response information). Through audit logs, we can clearly understand what happened in the Kubernetes cluster, including: what changes occurred in the cluster currently / historically; who performed these changes—whether it was a system component or a user, and which system component / user; and the details of important changes, such as which parameter in the POD was modified.
[0003] Audit logs are powerful tools, providing a wealth of Kubernetes information. However, currently, audit log creation is primarily done manually. For example, when monitoring a target resource, the operator's information, the target resource's information, the actions performed by the target resource, and the results of those actions are manually combined to generate an audit log for easy viewing by the user. Manually creating audit logs is cumbersome, labor-intensive, and prone to errors. Summary of the Invention
[0004] The purpose of this application is to provide a method for generating audit logs and related components. By using an Agent container, when a request instruction is received, the method can automatically listen to the target action of the target resource object and automatically generate audit logs based on the listening results. This avoids the low efficiency and high error rate that occur when manually compiling audit logs, and improves the efficiency and accuracy of generating audit logs.
[0005] To address the aforementioned technical problems, this application provides a method for generating audit logs, applied to the Agent container, which is located in a Kubernetes worker cluster. The method includes:
[0006] Receive request commands sent by users through the cloud management platform;
[0007] The target resource object and target action to be monitored are determined according to the request instruction, and an audit log generation policy file corresponding to the request instruction is generated.
[0008] The target actions of the target resource object are monitored according to the audit log policy file to generate audit logs;
[0009] The audit logs are sent to the cloud management platform so that the cloud management platform can display the audit logs through the display component.
[0010] Preferably, sending the audit logs to the cloud management platform includes:
[0011] The audit logs are sent to the webhook storage terminal in the cloud management platform.
[0012] Preferably, the cloud management platform includes a webhook storage terminal;
[0013] Before receiving the request command sent by the user through the cloud management platform, it also includes:
[0014] The startup parameters of the apiserver are initialized to specify the address of the audit log and configure the receiving address and authentication information of the webhook storage terminal;
[0015] The receiving address is the address for receiving the audit logs sent by the Agent container.
[0016] Preferably, after receiving the audit log, the webhook storage terminal of the cloud management platform further includes:
[0017] The webhook storage terminal determines whether the received audit log is a valid log based on the authentication information;
[0018] If so, the received audit logs will be stored in the database of the cloud management platform;
[0019] If not, discard the audit log.
[0020] Preferably, before storing the received audit logs in the database of the cloud management platform, the method further includes:
[0021] The webhook storage terminal determines whether the audit log matches the audit log corresponding to the audit log policy file;
[0022] If they match, proceed to the step of storing the received audit logs in the database of the cloud management platform;
[0023] If they do not match, the audit logs are discarded.
[0024] Preferably, the target resource object and target action to be monitored are determined according to the request instruction, and an audit log generation strategy file corresponding to the request instruction is generated, including:
[0025] The target resource object and target action to be monitored are determined according to the request instruction, and the audit log policy file is generated based on the determined target resource object and target action.
[0026] Preferably, the audit log includes one or more combinations of the following: the ID of the work cluster, the name of the target resource object, the ID of the target resource object, the action of the target resource object, and the user ID that sent the request instruction.
[0027] Preferably, the cloud management platform displays the audit logs through a display component, including:
[0028] The display component displays multiple fields in the audit log and their corresponding Chinese meanings.
[0029] Preferably, receiving a request instruction sent by the user through the cloud management platform includes:
[0030] Receive the request instruction sent by the user through the display component of the cloud management platform.
[0031] Preferably, after receiving the audit log, the cloud management platform further includes:
[0032] The cloud management platform categorizes and stores the audit logs according to preset rules.
[0033] Preferably, it further includes:
[0034] Monitor the CRD resources on the work cluster to determine if any new CRD resources are being created.
[0035] If it exists, the resource information of the newly created CRD resource will be uploaded to the cloud management platform, and the list of CRD resources displayed by the display component will be updated.
[0036] To address the aforementioned technical issues, this application also provides an audit log generation system applied to an Agent container, wherein the Agent container is located in a Kubernetes working cluster, comprising:
[0037] An Agent container is provided in the working cluster of the Kubernetes system. The method is applied to the Agent container, and the method includes:
[0038] The first receiving unit is used to receive request instructions sent by users through the cloud management platform;
[0039] The policy generation unit is used to determine the target resource object and target action to be monitored according to the request instruction, and to generate an audit log generation policy file corresponding to the request instruction;
[0040] The log generation unit is used to monitor the target actions of the target resource object according to the audit log policy file in order to generate audit logs;
[0041] The log display unit is used to send the audit logs to the cloud management platform so that the cloud management platform can display the audit logs through the display component.
[0042] To address the aforementioned technical problems, this application also provides an apparatus for generating audit logs, comprising:
[0043] Memory, used to store computer programs;
[0044] A processor, configured to implement the steps of the audit log generation method described above when storing a computer program.
[0045] To address the aforementioned technical problems, this application also provides a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of the audit log generation method described above.
[0046] This application provides a method and related components for generating audit logs, relating to the field of computer technology. The solution involves receiving a request instruction sent by a user through a cloud management platform; determining the target resource object and target action to be monitored based on the request instruction, and generating an audit log generation strategy file corresponding to the request instruction; monitoring the target action of the target resource object according to the audit log strategy file to generate audit logs; and sending the audit logs to the cloud management platform so that the cloud management platform can display the audit logs through a display component. As can be seen, this application, through an Agent container, enables automatic monitoring of the target action of the target resource object upon receiving a request instruction, and automatic generation of audit logs based on the monitoring results. This avoids the low efficiency and high error rate associated with manually compiling audit logs, thus improving the efficiency and accuracy of audit log generation. Attached Figure Description
[0047] To more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the prior art and embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0048] Figure 1 A flowchart illustrating a method for generating audit logs provided in this application;
[0049] Figure 2A structural block diagram of an audit log generation system provided in this application;
[0050] Figure 3 A structural block diagram of an audit log generation device provided in this application. Detailed Implementation
[0051] The core of this application is to provide a method for generating audit logs and related components. By using an Agent container, when a request instruction is received, the method can automatically listen to the target action of the target resource object and automatically generate audit logs based on the listening results. This avoids the low efficiency and high error rate that occur when manually compiling audit logs, and improves the efficiency and accuracy of generating audit logs.
[0052] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0053] Before describing this application, the following is a statement regarding the working principle of Kubernetes and related technical terms:
[0054] Kubernetes: A general-purpose open-source container orchestration architecture for container cloud platforms, capable of automatic scheduling, scaling, and fault recovery of containers, abbreviated as Kubernetes.
[0055] kube-apiserver: The external service API of Kubernetes. All resource-related operations in Kubernetes need to call the relevant interfaces of kube-apiserver.
[0056] K8s resource objects are divided into two types: native K8s resource objects and CRD resource objects. Native K8s resource objects always exist in a standard K8s cluster, but CRD resources are created by the user and differ between different K8s clusters.
[0057] CRD resources: The full name is Custom Resource Definition. CRD itself is a type of resource in Kubernetes that allows users to define new resource types.
[0058] Event object: In Go, this is a structure provided by the "k8s.io / apiserver / pkg / apis / audit" library, used for parsing and modifying Kubernetes audit logs.
[0059] Auditing provides a security-related, time-ordered set of logs that record activity for each user, application using the Kubernetes API, and the control plane itself.
[0060] Cloud management platform: Enables users to manage resources in hybrid cloud and multiple data centers through a unified management platform, thereby greatly improving work efficiency and reducing maintenance costs.
[0061] Work cluster: One or more Kubernetes clusters managed by the cloud management platform.
[0062] Webhook server: a form of providing network services.
[0063] Specifically, in the Kubernetes system, Kubernetes resource objects are persistent entities. Kubernetes uses these entities to represent the state of the entire cluster. They may describe, but are not limited to, the following information: (1) which containerized applications are running (and on which nodes), (2) the resources that can be used by the applications, and (3) policies regarding the runtime behavior of the applications, such as restart policies, upgrade policies, and fault tolerance policies.
[0064] Manipulating Kubernetes resource objects—whether creating, modifying, or deleting them—requires the use of the Kubernetes API. For example, when using the kubectl command-line interface (CLI), the CLI calls the necessary Kubernetes APIs; alternatively, client libraries can be used in programs to directly invoke the Kubernetes APIs.
[0065] In a large-scale, multi-user collaborative environment, countless Kubernetes objects are created, modified, or deleted constantly. Kubernetes introduced audit log functionality in version 1.7, providing security-related time-series operation records (including time, source, operation result, user initiating the operation, resource involved, and detailed request / response information). Through audit logs, we can clearly understand what is happening in the Kubernetes cluster, including but not limited to: (1) what changes have occurred in the cluster currently / historically; (2) who performed these changes—whether it was a system component or a user, and which system component / user; (3) the details of important change events, such as which parameter in the POD was modified; (4) the result of the event—success or failure; and (5) where the user performing the operation came from—whether it was within or outside the cluster.
[0066] The content recorded in Kubernetes audit logs is specified by the audit policy. The audit policy is a YAML file that describes the logging level, which log information to collect, and which not to collect. It includes a list of rules; if log information matches a rule, the Kubernetes apiserver will create a log entry for it.
[0067] Please refer to Figure 1 , Figure 1 This application provides a flowchart illustrating a method for generating audit logs. This method is applied to an Agent container, which is located in a Kubernetes worker cluster. The method includes:
[0068] S11: Receive request instructions sent by users through the cloud management platform;
[0069] Specifically, to generate audit logs, this application needs to first obtain the corresponding request instructions, which can be request instructions sent by the user through the cloud management platform. When the user needs or wants to listen to or understand a certain resource object, the application outputs the request instruction corresponding to that resource object.
[0070] In one preferred embodiment, receiving a request instruction sent by a user through the cloud management platform includes:
[0071] Receive request commands sent by users through the display components of the cloud management platform.
[0072] In one specific embodiment, if the cloud management platform includes a display component, the request instruction can be sent through, but is not limited to, the display component. For example, the display component is a UI interface, which is used to visually display the audit logs in the database to the user. For instance, when the user clicks on this UI page, a list of all currently monitored resources is displayed. When the user clicks on a specific resource, all resource objects of that resource are displayed. When the user clicks on a specific resource object, the lifecycle events of that resource are displayed, along with explanations of the meaning of each field. That is, when the user clicks on a resource object on the UI interface, it is determined that the user has sent a request instruction corresponding to the clicked resource object through this UI interface, and then the subsequent step of generating audit logs based on the request instruction is initiated.
[0073] S12: Determine the target resource object and target action to be monitored based on the request instruction, and generate an audit log generation strategy file corresponding to the request instruction;
[0074] S13: Monitor the target actions of the target resource object according to the audit log policy file to generate audit logs;
[0075] Specifically, after obtaining the request instruction, the target resource object and target action to be detected are determined according to the request instruction issued by the cloud management platform, and the corresponding audit log policy file is generated so as to monitor the target action of the target resource object according to the audit log policy file and generate audit logs based on the monitoring results.
[0076] As a preferred embodiment, the target resource object and target action to be monitored are determined according to the request instruction, and an audit log generation policy file corresponding to the request instruction is generated, including:
[0077] The target resource object and target action to be monitored are determined based on the request instructions, and an audit log policy file is generated based on the determined target resource object and target action.
[0078] Specifically, after determining the corresponding target resource object and target action according to the request instruction, an audit log policy file is generated based on the target resource object and target action. Then, the log information corresponding to the target action of the target resource object is obtained based on the audit log policy file, and the audit log policy file is generated based on this log information.
[0079] For example, if the request instruction determines that it is necessary to monitor a pod in a Kubernetes object, then the following rule needs to be generated in the audit log policy file:
[0080] level:RequestResponse
[0081] resources:
[0082] -group:""
[0083] resources:["pods"]
[0084] verbs:["create","update","delete"]
[0085] Among them, level: RequestResponse indicates that audit logs are generated when the Kubernetes request has been completed (i.e., the cloud management platform has sent the request instruction) and is responding. resources specifies the specific resources, where group indicates the group to which the object belongs, and empty indicates the Kubernetes core resource group. pod indicates the pod object (i.e., the target resource object) in the resource group being monitored. verb: [create, update, delete] indicates that audit logs are generated when the pod resource is created, updated, or deleted.
[0086] S14: Send the audit logs to the cloud management platform so that the cloud management platform can display the audit logs through the display component.
[0087] To make it easier for users to see the audit logs intuitively, a display component is set up in the cloud management platform. After the cloud management platform receives the audit logs, it will display the audit logs on the display component.
[0088] As a preferred embodiment, the cloud management platform displays audit logs through a display component, including:
[0089] The component displays multiple fields from the audit log and their corresponding Chinese meanings.
[0090] Given that each field has a specific meaning, the learning cost is high, making it difficult for users to understand these fields and thus the meaning of the audit logs.
[0091] Therefore, when displaying audit logs, in addition to showing the multiple fields contained in the audit logs, the Chinese meanings corresponding to the multiple fields are also displayed through the display component, freeing users from cumbersome fields and high learning costs, and solving the problem that only professionals can operate audit logs.
[0092] As a preferred embodiment, the audit log includes one or more of the following combinations: the ID of the work cluster, the name of the target resource object, the ID of the target resource object, the action of the target resource object, and the user ID that sent the request instruction.
[0093] Specifically, the audit log may include, but is not limited to, one or more combinations of the working cluster ID, the name of the target resource object, the ID of the target resource object, the action of the target resource object, and the user ID that sent the request command. In this case, if it is necessary to display the Chinese meanings of multiple fields in the audit log, the corresponding Chinese meanings can be annotated near the corresponding fields to facilitate user understanding.
[0094] As a preferred embodiment, after receiving the audit logs, the cloud management platform further includes:
[0095] The cloud management platform categorizes and stores audit logs according to preset rules.
[0096] Furthermore, audit logs are generated at different stages of a Kubernetes request. In a large working cluster, the number of audit logs required is also considerable. To facilitate management, this application further classifies and manages the audit logs after they are received on the cloud platform. Specifically, this can be done by categorizing and storing them. The preset rules for categorizing and storing these logs can be set by the user in advance according to actual needs, and can also be modified as needed. For example, preset rules could be categorized and stored according to the creation time, or according to the group to which the resource object belongs, etc. This application does not limit this to any specific rules.
[0097] As a preferred embodiment, sending audit logs to the cloud management platform includes:
[0098] The audit logs are sent to the webhook storage in the cloud management platform.
[0099] Specifically, in this application, the audit logs are sent to the webhook storage of the cloud management platform. Compared to the log backend, which writes audit logs to a JSON file at a specified path via an apiserver, this method is simpler to configure but lacks flexibility. It can only write logs locally. When the cloud management platform manages multiple work clusters simultaneously, the cloud management platform needs to actively collect data from the underlying work clusters. Although this can be solved using network storage volumes, additional configuration is required. Furthermore, it cannot pre-filter and categorize the audit logs for storage.
[0100] This application uses a Webhook storage client, specifically by sending audit logs to a remote web API server. This remote Webhook storage client then performs further processing based on the requests sent by the API server. This method requires configuring the API server to specify the address and authentication method of the Webhook storage client. By deploying the Webhook storage client as the backend for audit logs on the cloud management platform, audit logs from multiple managed work clusters can be received simultaneously and processed uniformly (e.g., uniformly categorized and stored).
[0101] It should be noted that the webhook storage function mentioned above can be understood as a server that can perform operations on audit logs.
[0102] As a preferred embodiment, the cloud management platform includes a webhook storage terminal;
[0103] Before receiving the request command sent by the user through the cloud management platform, it also includes:
[0104] Initialize the apiserver startup parameters to specify the address of the audit logs and configure the receiving address and authentication information of the webhook storage terminal;
[0105] The receiving address is the address for receiving audit logs sent by the Agent container.
[0106] In the cloud management platform, which includes a webhook storage terminal, and when the Agent container sends the generated audit logs to the webhook storage terminal, this application first initializes the apiserver's startup parameters during the initialization process to correctly configure the webhook storage terminal's receiving address and authentication information.
[0107] For example, the specific configuration method is as follows:
[0108] ---audit-policy-file= / etc / kubernetes / pki / audit-policy.yaml
[0109] ---audit-webhook-config-file= / etc / kubernetes / pki / audit-webhook.yaml
[0110] The audit-policy-file specifies the address of the audit log, and the audit-webhook-config-file specifies the address of a config file. This config file needs to specify the receiving address of the webhook storage and the authentication information.
[0111] It should be noted that this receiving address is used to receive audit logs, and the authentication information is used to filter the audit logs. Specifically, not all audit logs can be sent to the webhook storage, or in other words, the webhook storage cannot receive all audit logs. If the webhook storage could operate on all audit logs, its permissions would be too broad. In a large work cluster, countless resource objects are created, modified, or deleted at any given time. If the permission configuration (authentication information) is unreasonable, some resource objects may be mistakenly modified or deleted. Therefore, this application requires pre-configuration of the authentication information to filter audit logs, ensuring that the webhook storage only operates on and manages audit logs within its own permissions, thus improving the reliability of the Kubernetes system.
[0112] As a preferred embodiment, after receiving the audit logs, the webhook storage terminal of the cloud management platform also includes:
[0113] The webhook storage terminal determines whether the received audit logs are valid logs based on the authentication information;
[0114] If so, the received audit logs will be stored in the database of the cloud management platform;
[0115] If not, discard the audit log.
[0116] Specifically, after configuring the authentication information as described above, the system determines whether the received audit log is valid based on the authentication information. That is, it determines whether the audit log is within the user's permissions. If it is within the permissions, the audit log is considered valid. In this case, the received audit log is stored in the database of the cloud management platform for categorized storage or displayed through a display component. Otherwise, the audit log is discarded.
[0117] As a preferred embodiment, before storing the received audit logs in the database of the cloud management platform, the method further includes:
[0118] The webhook storage side determines whether the audit logs match the audit logs corresponding to the audit log policy file;
[0119] If they match, proceed to the step of storing the received audit logs in the database of the cloud management platform;
[0120] If they do not match, the audit log is discarded.
[0121] Considering that the Agent container may incur some losses during the processing of audit logs, leading to abnormal audit logs.
[0122] After receiving the audit log, the webhook storage in this application determines whether the audit log matches the audit log corresponding to the audit log policy file. If so, the audit log is considered normal and proceeds to the step of storing it in the database of the cloud management platform. Otherwise, the audit log is considered abnormal and is discarded directly.
[0123] It should be noted that while the audit log policy file on the webhook storage side in this application has the same content as the audit log policy file generated in the Agent container, it is not the same as the audit log policy file generated in the Agent container. The audit log policy file on the webhook storage side is derived from the request instructions sent by the cloud management platform.
[0124] As a preferred embodiment, it also includes:
[0125] Monitor CRD resources on the work cluster to determine if any new CRD resources are being created;
[0126] If it exists, the resource information of the newly created CRD resource will be uploaded to the cloud management platform, and the list of CRD resources displayed by the display component will be updated.
[0127] Furthermore, Agent can also monitor CRD resources in the work cluster. CRD resources are user-defined resources. When a new CRD resource is created, the agent uploads the corresponding CRD resource information to the cloud management platform. This resource information can be, but is not limited to, audit logs, so that the cloud management platform can be aware of resource changes in the work cluster.
[0128] When a CRD resource is received on the cloud management platform, and the display component shows CRD resource information (such as a CRD resource list), the CRD resource list can be updated.
[0129] In summary, the audit log generation method described in this application receives a request instruction sent by a user through a cloud management platform; determines the target resource object and target action to be monitored based on the request instruction, and generates an audit log generation strategy file corresponding to the request instruction; monitors the target action of the target resource object according to the audit log strategy file to generate audit logs; and sends the audit logs to the cloud management platform so that the cloud management platform can display the audit logs through a display component. It is evident that in this application, the Agent container enables automatic monitoring of the target action of the target resource object upon receiving a request instruction, and automatically generates audit logs based on the monitoring results. This avoids the low efficiency and high error rate associated with manually compiling audit logs, thus improving the efficiency and accuracy of audit log generation.
[0130] To address the aforementioned technical problems, this application also provides an audit log generation system, please refer to... Figure 2 , Figure 2 This application provides a structural block diagram of an audit log generation system. The system is applied to an Agent container, which is located in a Kubernetes worker cluster. The system includes:
[0131] The first receiving unit 21 is used to receive request instructions sent by the user through the cloud management platform;
[0132] The policy generation unit 22 is used to determine the target resource object and target action to be monitored based on the request instruction, and to generate an audit log policy file corresponding to the request instruction;
[0133] Log generation unit 23 is used to monitor the target actions of the target resource object according to the audit log policy file in order to generate audit logs;
[0134] The log display unit 24 is used to send audit logs to the cloud management platform so that the cloud management platform can display the audit logs through the display component.
[0135] As a preferred embodiment, sending audit logs to the cloud management platform includes:
[0136] The audit logs are sent to the webhook storage in the cloud management platform.
[0137] As a preferred embodiment, the cloud management platform includes a webhook storage terminal;
[0138] Also includes:
[0139] The initialization unit is used to initialize the startup parameters of the apiserver, specifying the address of the audit log and configuring the receiving address and authentication information of the webhook storage terminal.
[0140] The receiving address is the address for receiving audit logs sent by the Agent container.
[0141] As a preferred embodiment, it also includes:
[0142] The first determining unit is used by the webhook storage terminal to determine whether the received audit log is a valid log based on the authentication information;
[0143] The first execution unit is used to store the received audit logs into the database in the cloud management platform when the audit logs are valid.
[0144] The second execution unit is used to discard audit logs when they are not valid.
[0145] As a preferred embodiment, it also includes:
[0146] The second determining unit is used by the webhook storage end to determine whether the audit log matches the audit log corresponding to the audit log policy file;
[0147] The third execution unit is used to enter the step of storing the received audit logs into the database in the cloud management platform when the audit logs match the audit logs corresponding to the audit log policy file.
[0148] The fourth execution unit is used to discard audit logs when the audit logs do not match the audit logs corresponding to the audit log policy file.
[0149] In a preferred embodiment, the policy generation unit is specifically used to determine the target resource object and target action to be monitored based on the request instruction, and to generate an audit log policy file based on the determined target resource object and target action.
[0150] As a preferred embodiment, the audit log includes one or more of the following combinations: the ID of the work cluster, the name of the target resource object, the ID of the target resource object, the action of the target resource object, and the user ID that sent the request instruction.
[0151] As a preferred embodiment, the cloud management platform displays audit logs through a display component, including:
[0152] The component displays multiple fields from the audit log and their corresponding Chinese meanings.
[0153] In a preferred embodiment, the first receiving unit is specifically used to receive request instructions sent by the user through the display component of the cloud management platform.
[0154] As a preferred embodiment, the cloud management platform also includes:
[0155] The storage unit is used to classify and store audit logs according to preset rules.
[0156] As a preferred embodiment, it also includes:
[0157] The CPD monitoring unit is used to monitor CRD resources on the working cluster to determine whether there are any newly created CRD resources.
[0158] The fifth execution unit is used to upload the resource information of the newly created CRD resource to the cloud management platform and update the list of CRD resources displayed by the display component when a new CRD resource exists.
[0159] For a description of the audit log generation system, please refer to the above embodiments; this application will not repeat it here.
[0160] To address the aforementioned technical problems, this application also provides an apparatus for generating audit logs, please refer to... Figure 3 , Figure 3 A structural block diagram of an audit log generation apparatus provided in this application, the apparatus comprising:
[0161] Memory 31 is used to store computer programs;
[0162] The processor 32 is configured to implement the steps of the above-described audit log generation method when storing a computer program.
[0163] For a description of the audit log generation device, please refer to the above embodiments; this application will not repeat it here.
[0164] To address the aforementioned technical problems, this application also provides a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of the audit log generation method described above. For a description of the computer-readable storage medium, please refer to the above embodiments; further details will not be repeated here.
[0165] It should also be noted that, in this specification, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0166] The above description of the disclosed embodiments enables those skilled in the art to make or use this application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of this application. Therefore, this application is not to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims
1. A method for generating audit logs, characterized in that, Applied to an Agent container, wherein the Agent container is located in a Kubernetes worker cluster, the method includes: Receive request commands sent by users through the cloud management platform; The target resource object and target action to be monitored are determined according to the request instruction, and an audit log generation policy file corresponding to the request instruction is generated. The target actions of the target resource object are monitored according to the audit log policy file to generate audit logs; The audit logs are sent to the cloud management platform so that the cloud management platform can display the audit logs through the display component; Based on the request instruction, the target resource object and target action to be monitored are determined, and an audit log generation policy file corresponding to the request instruction is generated, including: The target resource object and target action to be monitored are determined according to the request instruction, and the audit log policy file is generated based on the determined target resource object and target action.
2. The method for generating audit logs as described in claim 1, characterized in that, Sending the audit logs to the cloud management platform includes: The audit logs are sent to the webhook storage terminal in the cloud management platform.
3. The method for generating audit logs as described in claim 2, characterized in that, The cloud management platform includes a webhook storage terminal; Before receiving the request command sent by the user through the cloud management platform, it also includes: The startup parameters of the apiserver are initialized to specify the address of the audit log and configure the receiving address and authentication information of the webhook storage terminal; The receiving address is the address for receiving the audit logs sent by the Agent container.
4. The method for generating audit logs as described in claim 3, characterized in that, After receiving the audit log, the webhook storage terminal of the cloud management platform also includes: The webhook storage terminal determines whether the received audit log is a valid log based on the authentication information; If so, the received audit logs will be stored in the database of the cloud management platform; If not, discard the audit log.
5. The method for generating audit logs as described in claim 4, characterized in that, Before storing the received audit logs in the database of the cloud management platform, the process also includes: The webhook storage terminal determines whether the audit log matches the audit log corresponding to the audit log policy file; If they match, proceed to the step of storing the received audit logs in the database of the cloud management platform; If they do not match, the audit logs are discarded.
6. The method for generating audit logs as described in claim 1, characterized in that, The audit log includes one or more combinations of the following: the ID of the work cluster, the name of the target resource object, the ID of the target resource object, the action of the target resource object, and the user ID that sent the request instruction.
7. The method for generating audit logs as described in claim 6, characterized in that, The cloud management platform displays the audit logs through a display component, including: The display component displays multiple fields in the audit log and their corresponding Chinese meanings.
8. The method for generating audit logs as described in claim 1, characterized in that, Receive request instructions sent by users through the cloud management platform, including: Receive the request instruction sent by the user through the display component of the cloud management platform.
9. The method for generating audit logs as described in any one of claims 1-8, characterized in that, After receiving the audit logs, the cloud management platform also includes: The cloud management platform categorizes and stores the audit logs according to preset rules.
10. The method for generating audit logs as described in any one of claims 1-8, characterized in that, Also includes: Monitor the CRD resources on the work cluster to determine if any new CRD resources are being created. If it exists, the resource information of the newly created CRD resource will be uploaded to the cloud management platform, and the list of CRD resources displayed by the display component will be updated.
11. An audit log generation system, characterized in that, Applied to Agent containers, which are located in a Kubernetes worker cluster, including: The working cluster of the Kubernetes system contains Agent containers, and the audit log generation system is applied to the Agent containers. The audit log generation system includes: The first receiving unit is used to receive request instructions sent by users through the cloud management platform; The policy generation unit is used to determine the target resource object and target action to be monitored according to the request instruction, and to generate an audit log generation policy file corresponding to the request instruction; The log generation unit is used to monitor the target actions of the target resource object according to the audit log policy file in order to generate audit logs; The log display unit is used to send the audit logs to the cloud management platform so that the cloud management platform can display the audit logs through the display component; The policy generation unit is specifically used to determine the target resource object and target action to be monitored according to the request instruction, and to generate the audit log policy file according to the determined target resource object and target action.
12. An apparatus for generating audit logs, characterized in that, include: Memory, used to store computer programs; A processor, configured to implement, while storing a computer program, the steps of the audit log generation method as described in any one of claims 1-10.
13. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the audit log generation method as described in any one of claims 1-10.