AKS Control Plane Logs
Ingesting AKS Control Plane Logs with KubeSense
KubeSense supports ingesting AKS (Azure Kubernetes Service) control plane logs to provide comprehensive observability into cluster management, API server activities, and control plane operations.
Prerequisites
Before you begin, ensure you have:
- AKS cluster running
- Azure Monitor Diagnostic Settings enabled
- Event Hub or Log Analytics Workspace configured
- KubeSense aggregator deployed and accessible
- Appropriate Azure permissions to configure diagnostic settings
Architecture
AKS control plane logs flow through the following path:
AKS Control Plane → Diagnostic Settings → Event Hub/Log Analytics → KubeSense AggregatorStep 1: Enable AKS Control Plane Logging
Enable diagnostic settings on your AKS cluster to send control plane logs to Event Hub or Log Analytics.
Using Azure CLI
# Get AKS cluster resource ID
AKS_CLUSTER_ID=$(az aks show \
--resource-group kubesense-rg \
--name my-aks-cluster \
--query id -o tsv)
# Get Event Hub authorization rule ID
EVENT_HUB_ID=$(az eventhubs eventhub authorization-rule show \
--resource-group kubesense-rg \
--namespace-name kubesense-logs-namespace \
--eventhub-name aks-control-plane-logs \
--name RootManageSharedAccessKey \
--query id -o tsv)
# Create diagnostic setting for control plane logs
az monitor diagnostic-settings create \
--name aks-control-plane-logs \
--resource $AKS_CLUSTER_ID \
--event-hub aks-control-plane-logs \
--event-hub-rule $EVENT_HUB_ID \
--logs '[{"category":"kube-apiserver","enabled":true},{"category":"kube-audit","enabled":true},{"category":"kube-controller-manager","enabled":true},{"category":"kube-scheduler","enabled":true},{"category":"cluster-autoscaler","enabled":true}]'Using Azure Portal
- Go to Azure Portal
- Navigate to your AKS cluster
- Click Diagnostic settings in the left menu
- Click + Add diagnostic setting
- Configure:
- Name:
aks-control-plane-logs - Destination: Select Stream to an event hub or Send to Log Analytics workspace
- Logs: Enable the following categories:
kube-apiserverkube-auditkube-controller-managerkube-schedulercluster-autoscaler
- Name:
- Click Save
Step 2: Create Event Hub with Kafka Protocol (if using Event Hub)
If using Event Hub as destination, ensure Kafka protocol is enabled:
# Create Event Hub namespace with Kafka enabled
az eventhubs namespace create \
--resource-group kubesense-rg \
--name kubesense-logs-namespace \
--location eastus \
--sku Standard \
--enable-kafka true
# Create Event Hub for AKS control plane logs
az eventhubs eventhub create \
--resource-group kubesense-rg \
--namespace-name kubesense-logs-namespace \
--name aks-control-plane-logs \
--message-retention 7 \
--partition-count 4Step 3: Configure KubeSense Aggregator
For Event Hub Destination
aggregator:
customSources:
enabled: true
sources:
aks_control_plane_logs:
type: kafka
bootstrap_servers: "<NAMESPACE>.servicebus.windows.net:9093"
topics:
- aks-control-plane-logs
group_id: aks-cp-consumer
auth:
sasl:
mechanism: PLAIN
username: "$ConnectionString"
password: "<EVENT_HUB_CONNECTION_STRING>"
tls:
enabled: true
verify_certificate: true
verify_hostname: trueNote: Ensure the Event Hub namespace has Kafka protocol enabled (--enable-kafka true) when creating it.
For Log Analytics Destination
If using Log Analytics, export to Event Hub or Blob Storage first, then configure as described in Log Analytics or Blob Storage integrations.
Log Types and Use Cases
API Server Logs (kube-apiserver)
Monitor Kubernetes API activities:
- API requests: Track all API requests to the cluster
- Authentication: Monitor authentication events
- Authorization: Track authorization decisions
- Resource operations: Monitor create, update, delete operations
- Rate limiting: Identify rate limiting events
Audit Logs (kube-audit)
Comprehensive audit trail:
- User actions: Track all user-initiated actions
- Resource changes: Monitor all resource modifications
- Access patterns: Analyze access patterns and anomalies
- Compliance: Maintain compliance audit trails
- Security events: Identify security-related events
Controller Manager Logs (kube-controller-manager)
Controller operations:
- Replica set management: Monitor replica set scaling
- Deployment updates: Track deployment rollouts
- State management: Monitor desired vs actual state reconciliation
- Node management: Track node lifecycle events
Scheduler Logs (kube-scheduler)
Pod scheduling insights:
- Scheduling decisions: Understand why pods are scheduled to specific nodes
- Resource constraints: Identify resource constraints affecting scheduling
- Performance: Monitor scheduling performance
- Predicate failures: Track failed scheduling attempts
Cluster Autoscaler Logs (cluster-autoscaler)
Autoscaling operations:
- Scale-up events: Monitor when nodes are added
- Scale-down events: Monitor when nodes are removed
- Scaling decisions: Understand scaling decision logic
Configuration Examples
Multiple AKS Clusters
Configure control plane logs for multiple AKS clusters:
aggregator:
customSources:
enabled: true
sources:
aks_prod_control_plane:
type: kafka
bootstrap_servers: "<NAMESPACE>.servicebus.windows.net:9093"
topics:
- aks-prod-control-plane
group_id: aks-prod-consumer
auth:
sasl:
mechanism: PLAIN
username: "$ConnectionString"
password: "<EVENT_HUB_CONNECTION_STRING>"
tls:
enabled: true
aks_dev_control_plane:
type: kafka
bootstrap_servers: "<NAMESPACE>.servicebus.windows.net:9093"
topics:
- aks-dev-control-plane
group_id: aks-dev-consumer
auth:
sasl:
mechanism: PLAIN
username: "$ConnectionString"
password: "<EVENT_HUB_CONNECTION_STRING>"
tls:
enabled: trueFiltered Log Categories
Enable only specific log categories:
# Enable only API server and audit logs
az monitor diagnostic-settings create \
--name aks-api-audit-logs \
--resource $AKS_CLUSTER_ID \
--event-hub aks-control-plane-logs \
--event-hub-rule $EVENT_HUB_ID \
--logs '[{"category":"kube-apiserver","enabled":true},{"category":"kube-audit","enabled":true}]'Monitoring and Verification
- Check diagnostic settings: Verify diagnostic settings are enabled and active
- Monitor Event Hub: Verify logs are being published to Event Hub
- Verify aggregator connection: Check aggregator logs for Event Hub connection
- Check KubeSense dashboard: Verify logs appear with AKS metadata
- Review aggregator logs: Check for any ingestion errors
Troubleshooting
Logs Not Appearing
- Verify diagnostic settings: Check that diagnostic settings are enabled on the AKS cluster
- Check Event Hub: Verify events are being published to Event Hub
- Verify Kafka protocol: Ensure Event Hub namespace has Kafka protocol enabled (
--enable-kafka true) - Check bootstrap servers: Verify the bootstrap server address is correct (format:
<namespace>.servicebus.windows.net:9093) - Verify connection string: Ensure connection string is correct and has Event Hub data receiver permission
- Check topic name: Verify the topic name matches the Event Hub name
- Check log categories: Verify the log categories you need are enabled
- Review network connectivity: Ensure aggregator can reach Event Hub on port 9093
- Check aggregator logs: Review aggregator logs for Kafka connection or parsing errors
Missing Log Categories
- Verify AKS version: Some log categories may require specific AKS versions
- Check diagnostic settings: Ensure all needed categories are enabled
- Review AKS configuration: Some log categories may require specific AKS configurations
Performance Issues
- Increase partitions: Add more partitions to Event Hub for better throughput
- Scale aggregator: Increase aggregator resources if needed
- Filter logs: Enable only needed log categories to reduce volume
- Monitor consumer lag: Check for consumer lag in Event Hub metrics
Best Practices
- Enable all categories: Enable all control plane log categories for comprehensive observability
- Enable Kafka protocol: Ensure Event Hub namespace has Kafka protocol enabled during creation
- Use Event Hub for real-time: Use Event Hub with Kafka protocol for real-time log streaming
- Monitor costs: Control plane logs can generate significant costs
- Set retention: Configure appropriate retention periods
- Separate by cluster: Create separate Event Hubs (topics) for different clusters
- Use connection strings: Connection strings are required for SASL PLAIN authentication with Kafka
- Monitor quotas: Be aware of Event Hub throughput units and quotas
- Consumer groups: Use different consumer group IDs for different aggregator instances
Cost Considerations
- Diagnostic settings: No additional charge for diagnostic settings
- Event Hub: Charged per million events and storage
- Log Analytics: Charged per GB ingested (if using Log Analytics)
- Data transfer: Consider data transfer costs between Azure and KubeSense
- Control plane logs: Can be high volume, especially audit logs
Security Considerations
- Sensitive data: Control plane logs may contain sensitive information
- Access control: Ensure proper access control for diagnostic settings and Event Hub
- Encryption: Use encrypted Event Hub for sensitive logs
- Audit compliance: Maintain audit logs for compliance requirements
- Managed Identity: Use Managed Identity for secure authentication
Advanced Configuration
Custom Log Processing
Configure aggregator for custom log processing using transforms (configured separately):
aggregator:
customSources:
enabled: true
sources:
aks_control_plane_logs:
type: kafka
bootstrap_servers: "<NAMESPACE>.servicebus.windows.net:9093"
topics:
- aks-control-plane-logs
group_id: aks-cp-consumer
auth:
sasl:
mechanism: PLAIN
username: "$ConnectionString"
password: "<EVENT_HUB_CONNECTION_STRING>"
tls:
enabled: trueConclusion
AKS control plane logs integration provides comprehensive observability into cluster management, enabling better troubleshooting, security analysis, and compliance monitoring for your AKS clusters.