Kubernetes has emerged as the de facto orchestrator of microservices, providing scalability and extensibility to a highly dynamic environment. It builds an intricate and deeply connected system that requires extensive monitoring capabilities to be properly managed. To this account, K8s natively offers audit logs, a powerful feature for tracking API interactions in the cluster. Audit logs provide a detailed and chronological record of all activities in the system. Unfortunately, K8s auditing suffers from several practical limitations: it generates large volumes of data continuously, as all components within the cluster interact and respond to user actions. Moreover, each action can trigger a cascade of secondary events dispersed across the log, with little to no explicit linkage, making it difficult to reconstruct the context behind user-initiated operations. In this paper, we introduce K8NTEXT, a novel approach for streamlining K8s audit logs by reconstructing contexts, i.e., grouping actions performed by actors on the cluster with the subsequent events these actions cause. Correlated API calls are automatically identified, labeled, and consistently grouped using a combination of inference rules and a Machine Learning model, largely simplifying data consumption. We evaluate K8NTEXT's performance, scalability, and expressiveness both in systematic tests and with a series of use cases. We show that it consistently provides accurate context reconstruction, even for complex operations involving 50, 100 or more correlated actions, achieving over 95 percent accuracy across the entire spectrum, from simple to highly composite actions.

翻译：Kubernetes已成为微服务编排的事实标准，为高度动态的环境提供可扩展性与可扩展性。它构建了一个复杂且深度互联的系统，需要全面的监控能力才能有效管理。为此，K8s原生提供了审计日志功能，这是追踪集群内API交互的强大工具。审计日志按时间顺序详细记录了系统中的所有活动。然而，K8s审计在实践中存在若干局限性：由于集群内所有组件持续交互并响应用户操作，审计日志会持续产生海量数据。此外，每个操作可能触发一系列分散在日志中的次级事件，这些事件之间缺乏显式关联，导致难以重构用户发起操作背后的完整上下文。本文提出K8NTEXT——一种通过重构上下文来优化K8s审计日志的新方法，即将执行者对集群执行的操作及其引发的后续事件进行智能分组。该方法结合推理规则与机器学习模型，自动识别、标记并一致性关联API调用，极大简化了数据消费过程。我们通过系统测试和系列用例评估了K8NTEXT在性能、可扩展性和表达力方面的表现。实验表明，即使对于涉及50、100甚至更多关联操作的复杂场景，该方法仍能持续提供精确的上下文重构，在从简单到高度复合的操作范围内均达到95%以上的准确率。