This command can be used to retrieve pre-filtered logs from AWS:
aws logs filter-log-events \
--log-group-name /aws/eks/<cluster_name>/cluster \
--log-stream-name-prefix kube-apiserver-audit \
--start-time <time_since_epoch_in_ms> \
--filter-pattern '"v1beta1"' \
--region <region>
| #!/usr/bin/env python3 | |
| import collections | |
| import json | |
| import re | |
| import sys | |
| events = json.load(sys.stdin)["events"] | |
| log_entries = [json.loads(x["message"]) for x in events] | |
| counts = collections.Counter() | |
| for entry in log_entries: | |
| request = re.sub(r"\?.*$", "", entry["requestURI"]) | |
| if any( | |
| endpoint in request.lower() | |
| for endpoint in [ | |
| "/networkpolic", | |
| "/podsecuritypolic", | |
| "/daemonset", | |
| "/deployment", | |
| "/statefulset", | |
| "/replicaset", | |
| ] | |
| ): | |
| user = entry["user"]["username"] | |
| counts.update([(request, user)]) | |
| for (request, user), count in counts.most_common(): | |
| print("{:5} {:<70} {}".format(count, user, request)) |