Ensure that the –audit-log-maxage argument is set to 30 or as appropriate
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The Kubernetes API server is not configured with the –audit-log-maxage flag, meaning audit logs may not be retained for a sufficient period. This can result in audit logs being deleted too soon, reducing visibility into cluster activity.
Impact#
Insufficient audit log retention can hinder detection and investigation of security incidents, making it easier for malicious actions to go unnoticed and limiting the ability to perform forensic analysis or meet compliance requirements.
Resolution#
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the –audit-log-maxage parameter to 30 or as an appropriate number of days.