2025-02-12 · kubernetes · audit · operations

Reading kube-apiserver audit trails without drowning

By Mika Okada

Audit trails become useful when you decide what question you are answering before you open the tool. Start with a tight time window, then filter to verbs that actually change cluster state, and only then widen to subjects that touch namespaces under incident.

We teach learners to pair each audit spike with a rollout monitor screenshot so reviewers see intent, not just API noise. The habit sounds small, but it prevents circular arguments during incident syncs.

When spikes come from automation accounts, annotate the service account and the pipeline ID in your note—even if that ID lives outside the cluster. Downstream teams need the bridge between CI and the control plane.

Finally, archive the trimmed export with your postmortem draft. Full dumps age poorly; curated slices stay readable months later when similar symptoms return.