Run any Skill in Manus with one click

whizard-auditing

Use when working with WizTelemetry Auditing extension for KubeSphere, including installation, configuration, and audit query API

Run Skill in Manus

Stars16,958

Forks2,744

UpdatedApril 24, 2026 at 06:14

Source

kubesphere

kubesphere/kubesphere

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Network and Computer Systems AdministratorsComputer and Mathematical Occupations15-1244L4

SKILL.md

readonly

WizTelemetry Auditing

Overview

WizTelemetry Auditing is an extension component in the KubeSphere Observability Platform for Kubernetes and KubeSphere audit event collection, processing, and storage.

When to Use

Installing or configuring the WizTelemetry Auditing extension
Understanding audit event collection architecture
Using the audit query API to query audit events

Components

Component	Description	Default Enabled
kube-auditing	Kubernetes audit event collection and export	true

Dependencies

WizTelemetry Platform Service (whizard-telemetry): Required
WizTelemetry Data Pipeline (vector): Required

Installation

Prerequisites

REQUIRED: Complete all steps in order before generating InstallPlan.

Step 1: Get Available Clusters and Confirm Target

⚠️ CRITICAL: DO NOT proceed until target clusters are determined.

Step 1.1: Get available clusters

kubectl get clusters -o jsonpath='{.items[*].metadata.name}'

Step 1.2: Determine target clusters

If user explicitly specified target clusters in the request → Use those clusters directly, proceed to Step 2
If user did NOT specify target clusters → Ask user to confirm which clusters to deploy to, then proceed to Step 2

Ask user (if not specified):

Available clusters: host, dev
Which clusters do you want to deploy WizTelemetry Auditing to?

Step 2: Get Latest Version (if not provided by user)

MUST do this to get the latest version:

kubectl get extensionversions -l kubesphere.io/extension-ref=whizard-auditing -o jsonpath='{range .items[*]}{.spec.version}{"\n"}{end}' | sort -V | tail -1

This outputs the latest version (e.g., 1.4.0). Note this down - you'll use it in the InstallPlan.

Install WizTelemetry Auditing

⚠️ IMPORTANT: Complete prerequisite steps BEFORE this step.

Based on your selections:

Target clusters: User-confirmed cluster names

⚠️ CRITICAL: InstallPlan metadata.name MUST be whizard-auditing. DO NOT use any other name.

⚠️ CRITICAL: config field is YAML format. You MUST:

Use the config structure exactly as shown in the template
DO NOT add configuration fields that are not shown in the template
DO NOT modify the structure or hierarchy

⚠️ CRITICAL: All placeholders MUST be replaced with actual values. DO NOT leave them as placeholders.

Template

apiVersion: kubesphere.io/v1alpha1
kind: InstallPlan
metadata:
  name: whizard-auditing
spec:
  extension:
    name: whizard-auditing
    version: <VERSION>  # From Step 2
  enabled: true
  upgradeStrategy: Manual
  clusterScheduling:
    placement:
      clusters:
        - <TARGET_CLUSTERS>

Replace placeholders:

<VERSION>: From Step 2 (e.g., 1.4.0)
<TARGET_CLUSTERS>: User-confirmed cluster names

Note: OpenSearch sink configuration (endpoints, auth) is provided by the vector extension. Make sure vector is installed and configured with OpenSearch before installing auditing.

Enable Doris Sink

To enable Doris sink for audit storage:

apiVersion: kubesphere.io/v1alpha1
kind: InstallPlan
metadata:
  name: whizard-auditing
spec:
  extension:
    name: whizard-auditing
    version: <VERSION>  # From Step 2
  enabled: true
  upgradeStrategy: Manual
  config: |
    kube-auditing:
      sinks:
        opensearch:
          enabled: true
          index:
            prefix: "{{ .cluster }}-auditing"
            timestring: "%Y.%m.%d"
        doris:
          enabled: true
          fe: <DORIS_FE>
          be: <DORIS_BE>
          table:
            partitionUnit: DAY
            retentionPartition: 7
            replicationNum: 2
  clusterScheduling:
    placement:
      clusters:
        - <TARGET_CLUSTERS>

Enable ISM Policy

apiVersion: kubesphere.io/v1alpha1
kind: InstallPlan
metadata:
  name: whizard-auditing
spec:
  extension:
    name: whizard-auditing
    version: <VERSION>  # From Step 2
  enabled: true
  upgradeStrategy: Manual
  config: |
    kube-auditing:
      sinks:
        opensearch:
          enabled: true
          index:
            prefix: "{{ .cluster }}-auditing"
            timestring: "%Y.%m.%d"
      ism_policy:
        enable: true
        min_index_age: "7d"
  clusterScheduling:
    placement:
      clusters:
        - <TARGET_CLUSTERS>

Configuration Parameters

OpenSearch Sink Parameters

Parameter	Type	Default	Description
`kube-auditing.sinks.opensearch.enabled`	bool	true	Enable OpenSearch sink
`kube-auditing.sinks.opensearch.index.prefix`	string	"{{ .cluster }}-auditing"	Index prefix
`kube-auditing.sinks.opensearch.index.timestring`	string	"%Y.%m.%d"	Index time format

Doris Sink Parameters

Parameter	Type	Default	Description
`kube-auditing.sinks.doris.enabled`	bool	false	Enable Doris sink
`kube-auditing.sinks.doris.fe`	string	""	Doris Frontend address
`kube-auditing.sinks.doris.be`	string	""	Doris Backend address
`kube-auditing.sinks.doris.table.partitionUnit`	string	DAY	Partition unit
`kube-auditing.sinks.doris.table.retentionPartition`	int	7	Retention partition
`kube-auditing.sinks.doris.table.replicationNum`	int	2	Replication number

ISM Policy Parameters

Parameter	Type	Default	Description
`kube-auditing.ism_policy.enable`	bool	false	Enable Index State Management policy
`kube-auditing.ism_policy.min_index_age`	string	"7d"	Minimum index retention period

Audit Query API

Query Audit Events

curl -X GET "http://whizard-telemetry-apiserver.extension-whizard-telemetry.svc:80/kapis/logging.kubesphere.io/v1alpha2/auditing?operation=query&sort=desc&size=10&cluster=host" \
  -H "X-Remote-User: admin"

Query Parameters:

Parameter	Type	Default	Description
`operation`	string	query	Operation type: query/statistics/histogram/export
`workspace_filter`	string		Comma-separated list of workspaces
`workspace_search`	string		Fuzzy match workspace names
`objectref_namespace_filter`	string		Comma-separated list of namespaces (ObjectRef.Namespace)
`objectref_namespace_search`	string		Fuzzy match namespace names
`objectref_name_filter`	string		Comma-separated list of object names
`objectref_name_search`	string		Fuzzy match object names
`level_filter`	string		Audit level: Metadata/Request/RequestResponse
`verb_filter`	string		Comma-separated list of verbs (create, update, delete, etc.)
`user_filter`	string		Comma-separated list of users
`user_search`	string		Fuzzy match username
`group_search`	string		Fuzzy match user groups
`source_ip_search`	string		Fuzzy match source IPs
`objectref_resource_filter`	string		Comma-separated list of resources
`objectref_subresource_filter`	string		Comma-separated list of subresources
`response_code_filter`	string		Comma-separated list of response codes
`response_status_filter`	string		Comma-separated list of response statuses
`start_time`	string		Start time (seconds since epoch)
`end_time`	string		End time (seconds since epoch)
`interval`	string	15m	Time interval for histogram
`sort`	string	desc	Sort order: asc/desc
`from`	int	0	Offset
`size`	int	10	Number of results
`cluster`	string	host	Cluster name

Extension Operations

Check Extension Status

kubectl get installplan whizard-auditing
kubectl get extensionversions -l kubesphere.io/extension-ref=whizard-auditing

Uninstall Extension

Uninstall from all clusters:

kubectl delete installplan whizard-auditing

Uninstall from specific cluster:

To remove WizTelemetry Auditing from a specific cluster, update the InstallPlan by removing that cluster from clusterScheduling.placement.clusters:

apiVersion: kubesphere.io/v1alpha1
kind: InstallPlan
metadata:
  name: whizard-auditing
spec:
  extension:
    name: whizard-auditing
    version: <VERSION>
  enabled: true
  upgradeStrategy: Manual
  clusterScheduling:
    placement:
      clusters:
        - <REMAINING_CLUSTERS>  # Remove the cluster you want to uninstall from

name	whizard-auditing
description	Use when working with WizTelemetry Auditing extension for KubeSphere, including installation, configuration, and audit query API

whizard-auditing

More from this repository

More from this repository

WizTelemetry Auditing

Overview

When to Use

Components

Dependencies

Installation

Prerequisites

Step 1: Get Available Clusters and Confirm Target

Step 2: Get Latest Version (if not provided by user)

Install WizTelemetry Auditing

Template

Enable Doris Sink

Enable ISM Policy

Configuration Parameters

OpenSearch Sink Parameters

Doris Sink Parameters

ISM Policy Parameters

Audit Query API

Query Audit Events

Extension Operations

Check Extension Status

Uninstall Extension

WizTelemetry Auditing

Overview

When to Use

Components

Dependencies

Installation

Prerequisites

Step 1: Get Available Clusters and Confirm Target

Step 2: Get Latest Version (if not provided by user)

Install WizTelemetry Auditing

Template

Enable Doris Sink

Enable ISM Policy

Configuration Parameters

OpenSearch Sink Parameters

Doris Sink Parameters

ISM Policy Parameters

Audit Query API

Query Audit Events

Extension Operations

Check Extension Status

Uninstall Extension