The audit system should collect access events to read the Kubernetes audit log directory.
The following audit rule will assure that access to audit log directory are
collected.
-a always,exit -F dir=/var/log/kube-apiserver/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rule to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rule to
/etc/audit/audit.rules file.