Getting Information About Logs

You can access and manage your cluster’s audit logs, which record all Kubernetes API activity for security and compliance purposes. These logs are automatically stored in OOS buckets within the same Region as your cluster. For more information about OOS, see About OOS.

This page explains how to use kubectl to view detailed information about your cluster’s log configuration. It details how to retrieve the OOSAccess resource to identify the associated OOS buckets, endpoint URL, access mode, and the list of accounts authorized to read the logs.

The OOSAccess Custom Resource Definition (CRD) defines the resource kind, while the oks-oos-configuration object is automatically created during cluster deployment.

Getting Information About Logs Using kubectl

Retrieve the Current Configuration

To view the current configuration of your cluster audit logs, use the kubectl get command to retrieve the OOSAccess custom resource associated with your cluster:

Request sample
$ kubectl get oosaccesses oks-oos-configuration --output yaml

This command contains the following options that you need to specify:

  • oosaccesses oks-oos-configuration: Identifies the custom resource and its name. This CR contains information about audit and IAAS log storage for your cluster.

  • --output: Specifies the output format (yaml | json | wide | name).

Result sample
apiVersion: oks.dev/v1beta
kind: OOSAccess
metadata:
  name: oks-oos-configuration
spec:
  audit:
    readers:
    - "012345678901"
  iaas:
    readers:
    - "012345678901"
status:
  accessModes: read
  endpointURL: https://oos.eu-west-2.outscale.com
  lastError:
    message: None
  managedRoles: audit, iaas
  roles:
    audit:
      bucketName: audit-1233456b2a906cb2b17dfdd0000000000.eu-west-2.oks
      readers:
      - "012345678901"
       retention:
        days: 366
        enabled: true
        mode: COMPLIANCE
     iaas:
      bucketName: iaas-1233456b2a906cb2b17dfdd0000000000.eu-west-2.oks
      readers:
      - "012345678901"

The command returns the following elements:

  • apiVersion: The API version used by the CustomResourceDefinition (CRD). It identifies the schema version for the OOSAccess resource (always oks.dev/v1beta).

  • kind: The type of Kubernetes resource, always OOSAccess in this case.

  • metadata: General metadata information about the resource:

    • name: The name of the object, always oks-oos-configuration.

  • spec: Specifies the desired configuration for log access.

    • readers: Lists the OUTSCALE account IDs that have read-only access to logs stored in OOS:

      • For audit logs: Accounts allowed to read audit logs.

      • For iaas logs: Accounts allowed to read infrastructure-related logs.

  • status: Provides the current state and effective configuration for log storage and access.

    • accessModes: Indicates the type of access granted to the OOS buckets storing the logs. This field is always set to read, meaning users can only view or download logs. Log creation, modification, or deletion are managed automatically by OUTSCALE and are not user-configurable.

    • endpointURL: The OOS endpoint where the cluster’s audit and infrastructure logs are stored. Each OKS cluster stores its logs in dedicated OOS buckets located in the same Region as the cluster (for example, https://oos.eu-west-2.outscale.com).

    • lastError: Shows any error encountered when synchronizing log access configuration (is set to None when the configuration is valid).

    • managedRoles: The types of log roles managed by this resource, such as audit and iaas.

    • roles: Specifies the configuration for each log category. Within each role, you have:

      • bucketName: The name of the OOS bucket that stores the corresponding log type.

      • readers: The list of OUTSCALE account IDs that currently have read-only access to the logs:

        • For audit: Accounts authorized to read control plane audit logs, which record OKS CLI activity for the cluster.

        • For iaas: Accounts authorized to read infrastructure (IaaS) logs, limited to components such as load balancers.

      • retention: The retention rule for audit logs, including duration (days), whether it is enabled (always true), and mode. The mode should be COMPLIANCE, but older clusters may display the GOVERNANCE value.

Saving the Configuration Locally

You can save the output of the command to a local yaml file by using the redirection operator >:

Request sample
$ kubectl get oosaccesses oks-oos-configuration --output yaml > NAME_OF_CONFIG_FILE.yaml

This creates a copy of the current resource on your machine in a yaml file, which you can then open, review, or edit later when granting yourself access to logs. To learn how to do so, see Tutorial: Granting Yourself Access To Logs.

Related Pages

Export to PDF