Access Audit lets you track all actions that are executed in Kong Mesh.
It includes all the actions executed by both users and the control plane.
How it works
Kong Mesh provides an extra resource that enables operators and teams to decide which resources should be audited.
AccessAudit defines which actions should be audited.
It is global-scoped, which means it is not bound to a mesh.
By default, when
types are not specified all types are taken into account except the one defined in the static Kong Mesh CP config in
Right now, those are insight resources (
Those resources carry status information and are only managed by the control plane, not by a user.
AccessAudit lets you audit all actions that are controllable with RBAC:
GENERATE_DATAPLANE_TOKEN (you can use
mesh to audit only tokens generated for specific mesh)
The backend is external storage that persists audit logs. Currently, there is one available backend which is a JSON file.
The JSON file is a backend that persists audit logs to a single file in JSON format.
You can configure the file backend with the control plane config.
It can only be configured using YAML config, not environment variables.
# Types that are skipped by default when `types` list in AccessAudit resource is empty
skipDefaultTypes: ["DataplaneInsight", "ZoneIngressInsight", "ZoneEgressInsight", "ZoneInsight", "ServiceInsight", "MeshInsight"]
- type: file
# Path to the file that will be filled with logs
# If true, rotation is enabled.
# Example: if we set path to /tmp/audit.log then after the file is rotated we will have /tmp/audit-2021-06-07T09-15-18.265.log
# Maximum number of the old log files to retain
# Maximum size in megabytes of a log file before it gets rotated
# Maximum number of days to retain old log files based on the timestamp encoded in their filename
Audit of the
TrafficPermission update done by
Audit of the data plane token generation done by
In a multi-zone setup,
AccessAudit is not synchronized between the global control plane and the zone control plane.