Kubesphere whizard-auditing
Use when working with WizTelemetry Auditing extension for KubeSphere, including installation, configuration, and audit query API
install
source · Clone the upstream repo
git clone https://github.com/kubesphere/kubesphere
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/kubesphere/kubesphere "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/whizard-auditing" ~/.claude/skills/kubesphere-kubesphere-whizard-auditing && rm -rf "$T"
manifest:
skills/whizard-auditing/SKILL.mdsource content
WizTelemetry Auditing
Overview
WizTelemetry Auditing is an extension component in the KubeSphere Observability Platform for Kubernetes and KubeSphere audit event collection, processing, and storage.
When to Use
- Installing or configuring the WizTelemetry Auditing extension
- Understanding audit event collection architecture
- Using the audit query API to query audit events
Components
| Component | Description | Default Enabled |
|---|---|---|
| kube-auditing | Kubernetes audit event collection and export | true |
Dependencies
- WizTelemetry Platform Service (whizard-telemetry): Required
- WizTelemetry Data Pipeline (vector): Required
Installation
Prerequisites
REQUIRED: Complete all steps in order before generating InstallPlan.
Step 1: Get Available Clusters and Confirm Target
⚠️ CRITICAL: DO NOT proceed until target clusters are determined.
Step 1.1: Get available clusters
kubectl get clusters -o jsonpath='{.items[*].metadata.name}'
Step 1.2: Determine target clusters
- If user explicitly specified target clusters in the request → Use those clusters directly, proceed to Step 2
- If user did NOT specify target clusters → Ask user to confirm which clusters to deploy to, then proceed to Step 2
Ask user (if not specified):
Available clusters: host, dev Which clusters do you want to deploy WizTelemetry Auditing to?
Step 2: Get Latest Version (if not provided by user)
MUST do this to get the latest version:
kubectl get extensionversions -n kubesphere-system -l kubesphere.io/extension-ref=whizard-auditing -o jsonpath='{range .items[*]}{.spec.version}{"\n"}{end}' | sort -V | tail -1
This outputs the latest version (e.g.,
1.4.0Install WizTelemetry Auditing
⚠️ IMPORTANT: Complete prerequisite steps BEFORE this step.
Based on your selections:
- Target clusters: User-confirmed cluster names
⚠️ CRITICAL: InstallPlan
MUST be metadata.name
. DO NOT use any other name.whizard-auditing
⚠️ CRITICAL:
field is YAML format. You MUST:config
- Use the config structure exactly as shown in the template
- DO NOT add configuration fields that are not shown in the template
- DO NOT modify the structure or hierarchy
⚠️ CRITICAL: All placeholders MUST be replaced with actual values. DO NOT leave them as placeholders.
Template
apiVersion: kubesphere.io/v1alpha1 kind: InstallPlan metadata: name: whizard-auditing namespace: kubesphere-system spec: extension: name: whizard-auditing version: <VERSION> # From Step 2 enabled: true upgradeStrategy: Manual clusterScheduling: placement: clusters: - <TARGET_CLUSTERS>
Replace placeholders:
: From Step 2 (e.g.,<VERSION>
)1.4.0
: User-confirmed cluster names<TARGET_CLUSTERS>
Note: OpenSearch sink configuration (endpoints, auth) is provided by the vector extension. Make sure vector is installed and configured with OpenSearch before installing auditing.
Enable Doris Sink
To enable Doris sink for audit storage:
apiVersion: kubesphere.io/v1alpha1 kind: InstallPlan metadata: name: whizard-auditing namespace: kubesphere-system spec: extension: name: whizard-auditing version: <VERSION> # From Step 2 enabled: true upgradeStrategy: Manual config: | kube-auditing: sinks: opensearch: enabled: true index: prefix: "{{ .cluster }}-auditing" timestring: "%Y.%m.%d" doris: enabled: true fe: <DORIS_FE> be: <DORIS_BE> table: partitionUnit: DAY retentionPartition: 7 replicationNum: 2 clusterScheduling: placement: clusters: - <TARGET_CLUSTERS>
Enable ISM Policy
apiVersion: kubesphere.io/v1alpha1 kind: InstallPlan metadata: name: whizard-auditing namespace: kubesphere-system spec: extension: name: whizard-auditing version: <VERSION> # From Step 2 enabled: true upgradeStrategy: Manual config: | kube-auditing: sinks: opensearch: enabled: true index: prefix: "{{ .cluster }}-auditing" timestring: "%Y.%m.%d" ism_policy: enable: true min_index_age: "7d" clusterScheduling: placement: clusters: - <TARGET_CLUSTERS>
Configuration Parameters
OpenSearch Sink Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
| bool | true | Enable OpenSearch sink |
| string | "{{ .cluster }}-auditing" | Index prefix |
| string | "%Y.%m.%d" | Index time format |
Doris Sink Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
| bool | false | Enable Doris sink |
| string | "" | Doris Frontend address |
| string | "" | Doris Backend address |
| string | DAY | Partition unit |
| int | 7 | Retention partition |
| int | 2 | Replication number |
ISM Policy Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
| bool | false | Enable Index State Management policy |
| string | "7d" | Minimum index retention period |
Audit Query API
Query Audit Events
curl -X GET "http://whizard-telemetry-apiserver.extension-whizard-telemetry.svc:80/kapis/logging.kubesphere.io/v1alpha2/auditing?operation=query&sort=desc&size=10&cluster=host" \ -H "X-Remote-User: admin"
Query Parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
| string | query | Operation type: query/statistics/histogram/export |
| string | Comma-separated list of workspaces | |
| string | Fuzzy match workspace names | |
| string | Comma-separated list of namespaces (ObjectRef.Namespace) | |
| string | Fuzzy match namespace names | |
| string | Comma-separated list of object names | |
| string | Fuzzy match object names | |
| string | Audit level: Metadata/Request/RequestResponse | |
| string | Comma-separated list of verbs (create, update, delete, etc.) | |
| string | Comma-separated list of users | |
| string | Fuzzy match username | |
| string | Fuzzy match user groups | |
| string | Fuzzy match source IPs | |
| string | Comma-separated list of resources | |
| string | Comma-separated list of subresources | |
| string | Comma-separated list of response codes | |
| string | Comma-separated list of response statuses | |
| string | Start time (seconds since epoch) | |
| string | End time (seconds since epoch) | |
| string | 15m | Time interval for histogram |
| string | desc | Sort order: asc/desc |
| int | 0 | Offset |
| int | 10 | Number of results |
| string | host | Cluster name |
Extension Operations
Check Extension Status
kubectl get installplan -n kubesphere-system -l extension.kubesphere.io/name=whizard-auditing kubectl get extensionversions -n kubesphere-system whizard-auditing
Uninstall Extension
Uninstall from all clusters:
kubectl delete installplan -n kubesphere-system whizard-auditing
Uninstall from specific cluster:
To remove WizTelemetry Auditing from a specific cluster, update the InstallPlan by removing that cluster from
clusterScheduling.placement.clustersapiVersion: kubesphere.io/v1alpha1 kind: InstallPlan metadata: name: whizard-auditing namespace: kubesphere-system spec: extension: name: whizard-auditing version: <VERSION> enabled: true upgradeStrategy: Manual clusterScheduling: placement: clusters: - <REMAINING_CLUSTERS> # Remove the cluster you want to uninstall from