Menú
Use when working with WizTelemetry Auditing extension for KubeSphere, including installation, configuration, and audit query API
KubeSphere OpenPitrix application management Skill. Use when users ask about KubeSphere App Store, OpenPitrix, Helm/YAML application templates, application repositories, app versions, app releases, categories, review states, repository sync, or troubleshooting application installation and upgrade issues.
KubeSphere ServiceMesh extension management Skill (Istio + Kiali + Jaeger). Use this skill for the ServiceMesh extension Configuration (covers installation, uninstallation, status checks), troubleshooting (covers grayscale release, sidecar injection, topology/metrics, and tracing for Composed Apps Aka Custom Applications).
Operate the KubeSphere network extension. Use when Codex needs to install, upgrade, configure, enable, disable, or inspect the `network` extension; manage Calico `IPPool` resources, namespace bindings, migrations, or network isolation flows; or consult the bundled network extension references in this skill.
Use when working with KubeSphere DevOps extension, CI/CD pipelines, Jenkins integration, or pipeline troubleshooting
Use when creating, running, or managing CI/CD pipelines in KubeSphere DevOps, including pipeline API operations and run monitoring
Use when working with WizTelemetry Logging extension for KubeSphere, including installation, configuration, and log query API
| name | whizard-auditing |
| description | Use when working with WizTelemetry Auditing extension for KubeSphere, including installation, configuration, and audit query API |
WizTelemetry Auditing is an extension component in the KubeSphere Observability Platform for Kubernetes and KubeSphere audit event collection, processing, and storage.
| Component | Description | Default Enabled |
|---|---|---|
| kube-auditing | Kubernetes audit event collection and export | true |
REQUIRED: Complete all steps in order before generating InstallPlan.
⚠️ CRITICAL: DO NOT proceed until target clusters are determined.
Step 1.1: Get available clusters
kubectl get clusters -o jsonpath='{.items[*].metadata.name}'
Step 1.2: Determine target clusters
Ask user (if not specified):
Available clusters: host, dev
Which clusters do you want to deploy WizTelemetry Auditing to?
MUST do this to get the latest version:
kubectl get extensionversions -l kubesphere.io/extension-ref=whizard-auditing -o jsonpath='{range .items[*]}{.spec.version}{"\n"}{end}' | sort -V | tail -1
This outputs the latest version (e.g., 1.4.0). Note this down - you'll use it in the InstallPlan.
⚠️ IMPORTANT: Complete prerequisite steps BEFORE this step.
Based on your selections:
⚠️ CRITICAL: InstallPlan metadata.name MUST be whizard-auditing. DO NOT use any other name.
⚠️ CRITICAL: config field is YAML format. You MUST:
⚠️ CRITICAL: All placeholders MUST be replaced with actual values. DO NOT leave them as placeholders.
apiVersion: kubesphere.io/v1alpha1
kind: InstallPlan
metadata:
name: whizard-auditing
spec:
extension:
name: whizard-auditing
version: <VERSION> # From Step 2
enabled: true
upgradeStrategy: Manual
clusterScheduling:
placement:
clusters:
- <TARGET_CLUSTERS>
Replace placeholders:
<VERSION>: From Step 2 (e.g., 1.4.0)<TARGET_CLUSTERS>: User-confirmed cluster namesNote: OpenSearch sink configuration (endpoints, auth) is provided by the vector extension. Make sure vector is installed and configured with OpenSearch before installing auditing.
To enable Doris sink for audit storage:
apiVersion: kubesphere.io/v1alpha1
kind: InstallPlan
metadata:
name: whizard-auditing
spec:
extension:
name: whizard-auditing
version: <VERSION> # From Step 2
enabled: true
upgradeStrategy: Manual
config: |
kube-auditing:
sinks:
opensearch:
enabled: true
index:
prefix: "{{ .cluster }}-auditing"
timestring: "%Y.%m.%d"
doris:
enabled: true
fe: <DORIS_FE>
be: <DORIS_BE>
table:
partitionUnit: DAY
retentionPartition: 7
replicationNum: 2
clusterScheduling:
placement:
clusters:
- <TARGET_CLUSTERS>
apiVersion: kubesphere.io/v1alpha1
kind: InstallPlan
metadata:
name: whizard-auditing
spec:
extension:
name: whizard-auditing
version: <VERSION> # From Step 2
enabled: true
upgradeStrategy: Manual
config: |
kube-auditing:
sinks:
opensearch:
enabled: true
index:
prefix: "{{ .cluster }}-auditing"
timestring: "%Y.%m.%d"
ism_policy:
enable: true
min_index_age: "7d"
clusterScheduling:
placement:
clusters:
- <TARGET_CLUSTERS>
| Parameter | Type | Default | Description |
|---|---|---|---|
kube-auditing.sinks.opensearch.enabled | bool | true | Enable OpenSearch sink |
kube-auditing.sinks.opensearch.index.prefix | string | "{{ .cluster }}-auditing" | Index prefix |
kube-auditing.sinks.opensearch.index.timestring | string | "%Y.%m.%d" | Index time format |
| Parameter | Type | Default | Description |
|---|---|---|---|
kube-auditing.sinks.doris.enabled | bool | false | Enable Doris sink |
kube-auditing.sinks.doris.fe | string | "" | Doris Frontend address |
kube-auditing.sinks.doris.be | string | "" | Doris Backend address |
kube-auditing.sinks.doris.table.partitionUnit | string | DAY | Partition unit |
kube-auditing.sinks.doris.table.retentionPartition | int | 7 | Retention partition |
kube-auditing.sinks.doris.table.replicationNum | int | 2 | Replication number |
| Parameter | Type | Default | Description |
|---|---|---|---|
kube-auditing.ism_policy.enable | bool | false | Enable Index State Management policy |
kube-auditing.ism_policy.min_index_age | string | "7d" | Minimum index retention period |
curl -X GET "http://whizard-telemetry-apiserver.extension-whizard-telemetry.svc:80/kapis/logging.kubesphere.io/v1alpha2/auditing?operation=query&sort=desc&size=10&cluster=host" \
-H "X-Remote-User: admin"
Query Parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
operation | string | query | Operation type: query/statistics/histogram/export |
workspace_filter | string | Comma-separated list of workspaces | |
workspace_search | string | Fuzzy match workspace names | |
objectref_namespace_filter | string | Comma-separated list of namespaces (ObjectRef.Namespace) | |
objectref_namespace_search | string | Fuzzy match namespace names | |
objectref_name_filter | string | Comma-separated list of object names | |
objectref_name_search | string | Fuzzy match object names | |
level_filter | string | Audit level: Metadata/Request/RequestResponse | |
verb_filter | string | Comma-separated list of verbs (create, update, delete, etc.) | |
user_filter | string | Comma-separated list of users | |
user_search | string | Fuzzy match username | |
group_search | string | Fuzzy match user groups | |
source_ip_search | string | Fuzzy match source IPs | |
objectref_resource_filter | string | Comma-separated list of resources | |
objectref_subresource_filter | string | Comma-separated list of subresources | |
response_code_filter | string | Comma-separated list of response codes | |
response_status_filter | string | Comma-separated list of response statuses | |
start_time | string | Start time (seconds since epoch) | |
end_time | string | End time (seconds since epoch) | |
interval | string | 15m | Time interval for histogram |
sort | string | desc | Sort order: asc/desc |
from | int | 0 | Offset |
size | int | 10 | Number of results |
cluster | string | host | Cluster name |
kubectl get installplan whizard-auditing
kubectl get extensionversions -l kubesphere.io/extension-ref=whizard-auditing
Uninstall from all clusters:
kubectl delete installplan whizard-auditing
Uninstall from specific cluster:
To remove WizTelemetry Auditing from a specific cluster, update the InstallPlan by removing that cluster from clusterScheduling.placement.clusters:
apiVersion: kubesphere.io/v1alpha1
kind: InstallPlan
metadata:
name: whizard-auditing
spec:
extension:
name: whizard-auditing
version: <VERSION>
enabled: true
upgradeStrategy: Manual
clusterScheduling:
placement:
clusters:
- <REMAINING_CLUSTERS> # Remove the cluster you want to uninstall from