Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 2.1.x (latest)
  • 2.0.x
  • 1.9.x
  • 1.8.x
  • 1.7.x
  • 1.6.x
  • 1.5.x
  • 1.4.x
  • 1.3.x
  • 1.2.x
  • 1.1.x
  • 1.0.x
    • Introduction to Kong Mesh
    • What is Service Mesh?
    • How Kong Mesh works
    • Deployments
    • Version support policy
    • Stability
    • Release notes
    • Installation Options
    • Kubernetes
    • Helm
    • OpenShift
    • Docker
    • Amazon ECS
    • Amazon Linux
    • Red Hat
    • CentOS
    • Debian
    • Ubuntu
    • macOS
    • Windows
    • Explore Kong Mesh with the Kubernetes demo app
    • Explore Kong Mesh with the Universal demo app
    • Standalone deployment
    • Multi-zone deployment
    • License
    • Overview
    • Data plane proxy
    • Data plane on Kubernetes
    • Data plane on Universal
    • Gateway
    • Zone Ingress
    • Zone Egress
    • CLI
    • GUI
    • Observability
    • Inspect API
    • Kubernetes Gateway API
    • Networking
    • Service Discovery
    • DNS
    • Kong Mesh CNI
    • Transparent Proxying
    • IPv6 support
    • Non-mesh traffic
    • Secure access across Kong Mesh components
    • Secrets
    • Kong Mesh API Access Control
    • API server authentication
    • Data plane proxy authentication
    • Zone proxy authentication
    • Data plane proxy membership
    • Dataplane Health
    • Fine-tuning
    • Control Plane Configuration
    • Upgrades
    • Requirements
    • Introduction
    • General notes about Kong Mesh policies
    • Applying Policies
    • How Kong Mesh chooses the right policy to apply
    • Understanding TargetRef policies
    • Protocol support in Kong Mesh
    • Mesh
    • Mutual TLS
    • Traffic Permissions
    • Traffic Route
    • Traffic Metrics
    • Traffic Trace
    • Traffic Log
    • Locality-aware Load Balancing
    • Fault Injection
    • Health Check
    • Circuit Breaker
    • Proxy Template
    • External Service
    • Retry
    • Timeout
    • Rate Limit
    • Virtual Outbound
    • MeshGateway
    • MeshGatewayRoute
    • Service Health Probes
    • MeshAccessLog (Beta)
    • MeshCircuitBreaker (Beta)
    • MeshFaultInjection (Beta)
    • MeshHealthCheck (Beta)
    • MeshHTTPRoute (Beta)
    • MeshProxyPatch (Beta)
    • MeshRateLimit (Beta)
    • MeshRetry (Beta)
    • MeshTimeout (Beta)
    • MeshTrace (Beta)
    • MeshTrafficPermission (Beta)
    • Overview
    • HashiCorp Vault CA
    • Amazon ACM Private CA
    • cert-manager Private CA
    • OPA policy support
    • MeshOPA (beta)
    • Multi-zone authentication
    • FIPS support
    • Certificate Authority rotation
    • Role-Based Access Control
    • UBI Images
    • Windows Support
    • Auditing
    • HTTP API
    • Annotations and labels in Kubernetes mode
    • Kong Mesh data collection
      • Mesh
      • CircuitBreaker
      • ExternalService
      • FaultInjection
      • HealthCheck
      • MeshGateway
      • MeshGatewayRoute
      • ProxyTemplate
      • RateLimit
      • Retry
      • Timeout
      • TrafficLog
      • TrafficPermission
      • TrafficRoute
      • TrafficTrace
      • VirtualOutbound
      • Dataplane
      • ZoneEgress
      • ZoneIngress
      • kuma-cp
      • kuma-dp
      • kumactl
    • Kuma-cp configuration reference
    • Open source License
    • Contribute to Mesh

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • How it works
    • AccessAudit
  • Backends
    • JSON file
  • Multi-zone
Kong Mesh
2.1.x (latest)
  • Home
  • Kong Mesh
  • Features
  • Access Audit

Access Audit

Access Audit lets you track all actions that are executed in Kong Mesh. It includes all the actions executed by both users and the control plane.

How it works

Kong Mesh provides an extra resource that enables operators and teams to decide which resources should be audited.

AccessAudit

AccessAudit defines which actions should be audited. It is global-scoped, which means it is not bound to a mesh.

Universal
Kubernetes
type: AccessAudit
name: audit-1
rules:
- types: ["TrafficPermission", "TrafficRoute", "Mesh"] # list of types which should be audited. If empty, then default types are audited (see "Default types" below).
  mesh: default # Mesh within which access to resources is granted. It can only be used with the Mesh-scoped resources and Mesh itself. If empty, resources from all meshes will be audited.
  access: ["CREATE", "UPDATE", "DELETE"] # an action that is bound to a type.
  accessAll: true # an equivalent of specifying all possible accesses. Either access or access all can be specified.
apiVersion: kuma.io/v1alpha1
kind: AccessAudit
metadata:
  name: role-1
spec:
  rules:
  - types: ["TrafficPermission", "TrafficRoute", "Mesh"] # list of types which should be audited. If empty, then all resources will be audited.
    mesh: default # Mesh within which access to resources is granted. It can only be used with the Mesh-scoped resources and Mesh itself. If empty, resources from all meshes will be audited.
    access: ["CREATE", "UPDATE", "DELETE"] # an action that is bound to a type.
    accessAll: true # an equivalent of specifying all possible accesses. Either access or access all can be specified.

Default types

By default, when types are not specified all types are taken into account except the one defined in the static Kong Mesh CP config in kmesh.access.audit.skipDefaultTypes. Right now, those are insight resources (DataplaneInsight, ZoneIngressInsight, ZoneEgressInsight, ZoneInsight, ServiceInsight, MeshInsight). Those resources carry status information and are only managed by the control plane, not by a user.

Other actions

Aside CREATE, UPDATE, DELETE, AccessAudit lets you audit all actions that are controllable with RBAC:

  • GENERATE_DATAPLANE_TOKEN (you can use mesh to audit only tokens generated for specific mesh)
  • GENERATE_USER_TOKEN
  • GENERATE_ZONE_CP_TOKEN
  • GENERATE_ZONE_TOKEN
  • VIEW_CONFIG_DUMP
  • VIEW_STATS
  • VIEW_CLUSTERS

Backends

The backend is external storage that persists audit logs. Currently, there is one available backend which is a JSON file.

JSON file

The JSON file is a backend that persists audit logs to a single file in JSON format.

Configuration

You can configure the file backend with the control plane config. It can only be configured using YAML config, not environment variables.

kmesh:
  access:
    audit:
      # Types that are skipped by default when `types` list in AccessAudit resource is empty
      skipDefaultTypes: ["DataplaneInsight", "ZoneIngressInsight", "ZoneEgressInsight", "ZoneInsight", "ServiceInsight", "MeshInsight"]
      backends:
      - type: file
        file:
          # Path to the file that will be filled with logs
          path: /tmp/audit.logs
          rotation:
            # If true, rotation is enabled.
            # Example: if we set path to /tmp/audit.log then after the file is rotated we will have /tmp/audit-2021-06-07T09-15-18.265.log
            enabled: true
            # Maximum number of the old log files to retain
            maxRetainedFiles: 10
            # Maximum size in megabytes of a log file before it gets rotated
            maxSizeMb: 100
            # Maximum number of days to retain old log files based on the timestamp encoded in their filename
            maxAgeDays: 30

Examples

Audit of the TrafficPermission update done by john.doe@kuma.io.

{
  "date": "2022-09-21T09:31:42+02:00",
  "action": "UPDATE",
  "resource": {
    "name": "web-to-backend",
    "mesh": "default",
    "type": "TrafficPermission"
  },
  "user": {
    "name": "john.doe@kuma.io",
    "groups": [
      "team-a"
    ]
  }
}

Audit of the data plane token generation done by john.doe@kuma.io.

{
  "date": "2022-09-21T09:31:42+02:00",
  "action": "GENERATE_DATAPLANE_TOKEN",
  "token": {
    "id": "0e120ec9-6b42-495d-9758-07b59fe86fb9",
    "expiresAt": "2022-09-22T09:31:42+02:00",
    "claims": {
      "mesh": "default",
      "tags": {
        "kuma.io/service": "backend"
      }
    }
  },
  "user": {
    "name": "john.doe@kuma.io",
    "groups": [
      "team-a"
    ]
  }
}

Multi-zone

In a multi-zone setup, AccessAudit is not synchronized between the global control plane and the zone control plane.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023