{"id":"44311560-afe1-487e-a711-317d98e1c1a6","shortId":"sdXdNA","kind":"skill","title":"whizard-auditing","tagline":"Use when working with WizTelemetry Auditing extension for KubeSphere, including installation, configuration, and audit query API","description":"# WizTelemetry Auditing\n\n## Overview\n\nWizTelemetry Auditing is an extension component in the KubeSphere Observability Platform for Kubernetes and KubeSphere audit event collection, processing, and storage.\n\n## When to Use\n\n- Installing or configuring the WizTelemetry Auditing extension\n- Understanding audit event collection architecture\n- Using the audit query API to query audit events\n\n## Components\n\n| Component | Description | Default Enabled |\n|-----------|-------------|-----------------|\n| kube-auditing | Kubernetes audit event collection and export | true |\n\n## Dependencies\n\n- **WizTelemetry Platform Service** (whizard-telemetry): Required\n- **WizTelemetry Data Pipeline** (vector): Required\n\n## Installation\n\n### Prerequisites\n\n**REQUIRED: Complete all steps in order before generating InstallPlan.**\n\n#### Step 1: Get Available Clusters and Confirm Target\n\n**⚠️ CRITICAL: DO NOT proceed until target clusters are determined.**\n\n**Step 1.1: Get available clusters**\n\n```bash\nkubectl get clusters -o jsonpath='{.items[*].metadata.name}'\n```\n\n**Step 1.2: Determine target clusters**\n\n- If user **explicitly specified** target clusters in the request → Use those clusters directly, proceed to Step 2\n- If user **did NOT specify** target clusters → Ask user to confirm which clusters to deploy to, then proceed to Step 2\n\n**Ask user (if not specified):**\n```\nAvailable clusters: host, dev\nWhich clusters do you want to deploy WizTelemetry Auditing to?\n```\n\n#### Step 2: Get Latest Version (if not provided by user)\n\n**MUST do this to get the latest version:**\n\n```bash\nkubectl get extensionversions -l kubesphere.io/extension-ref=whizard-auditing -o jsonpath='{range .items[*]}{.spec.version}{\"\\n\"}{end}' | sort -V | tail -1\n```\n\nThis outputs the latest version (e.g., `1.4.0`). Note this down - you'll use it in the InstallPlan.\n\n### Install WizTelemetry Auditing\n\n**⚠️ IMPORTANT: Complete prerequisite steps BEFORE this step.**\n\nBased on your selections:\n- **Target clusters**: User-confirmed cluster names\n\n**⚠️ CRITICAL: InstallPlan `metadata.name` MUST be `whizard-auditing`. DO NOT use any other name.**\n\n**⚠️ CRITICAL: `config` field is YAML format. You MUST:**\n- Use the config structure exactly as shown in the template\n- **DO NOT** add configuration fields that are not shown in the template\n- **DO NOT** modify the structure or hierarchy\n\n**⚠️ CRITICAL: All placeholders MUST be replaced with actual values. DO NOT leave them as placeholders.**\n\n#### Template\n\n```yaml\napiVersion: kubesphere.io/v1alpha1\nkind: InstallPlan\nmetadata:\n  name: whizard-auditing\nspec:\n  extension:\n    name: whizard-auditing\n    version: <VERSION>  # From Step 2\n  enabled: true\n  upgradeStrategy: Manual\n  clusterScheduling:\n    placement:\n      clusters:\n        - <TARGET_CLUSTERS>\n```\n\n**Replace placeholders:**\n- `<VERSION>`: From Step 2 (e.g., `1.4.0`)\n- `<TARGET_CLUSTERS>`: User-confirmed cluster names\n\n**Note:** OpenSearch sink configuration (endpoints, auth) is provided by the **vector** extension. Make sure vector is installed and configured with OpenSearch before installing auditing.\n\n#### Enable Doris Sink\n\nTo enable Doris sink for audit storage:\n\n```yaml\napiVersion: kubesphere.io/v1alpha1\nkind: InstallPlan\nmetadata:\n  name: whizard-auditing\nspec:\n  extension:\n    name: whizard-auditing\n    version: <VERSION>  # From Step 2\n  enabled: true\n  upgradeStrategy: Manual\n  config: |\n    kube-auditing:\n      sinks:\n        opensearch:\n          enabled: true\n          index:\n            prefix: \"{{ .cluster }}-auditing\"\n            timestring: \"%Y.%m.%d\"\n        doris:\n          enabled: true\n          fe: <DORIS_FE>\n          be: <DORIS_BE>\n          table:\n            partitionUnit: DAY\n            retentionPartition: 7\n            replicationNum: 2\n  clusterScheduling:\n    placement:\n      clusters:\n        - <TARGET_CLUSTERS>\n```\n\n#### Enable ISM Policy\n\n```yaml\napiVersion: kubesphere.io/v1alpha1\nkind: InstallPlan\nmetadata:\n  name: whizard-auditing\nspec:\n  extension:\n    name: whizard-auditing\n    version: <VERSION>  # From Step 2\n  enabled: true\n  upgradeStrategy: Manual\n  config: |\n    kube-auditing:\n      sinks:\n        opensearch:\n          enabled: true\n          index:\n            prefix: \"{{ .cluster }}-auditing\"\n            timestring: \"%Y.%m.%d\"\n      ism_policy:\n        enable: true\n        min_index_age: \"7d\"\n  clusterScheduling:\n    placement:\n      clusters:\n        - <TARGET_CLUSTERS>\n```\n\n## Configuration Parameters\n\n### OpenSearch Sink Parameters\n\n| Parameter | Type | Default | Description |\n|-----------|------|---------|-------------|\n| `kube-auditing.sinks.opensearch.enabled` | bool | true | Enable OpenSearch sink |\n| `kube-auditing.sinks.opensearch.index.prefix` | string | \"{{ .cluster }}-auditing\" | Index prefix |\n| `kube-auditing.sinks.opensearch.index.timestring` | string | \"%Y.%m.%d\" | Index time format |\n\n### Doris Sink Parameters\n\n| Parameter | Type | Default | Description |\n|-----------|------|---------|-------------|\n| `kube-auditing.sinks.doris.enabled` | bool | false | Enable Doris sink |\n| `kube-auditing.sinks.doris.fe` | string | \"\" | Doris Frontend address |\n| `kube-auditing.sinks.doris.be` | string | \"\" | Doris Backend address |\n| `kube-auditing.sinks.doris.table.partitionUnit` | string | DAY | Partition unit |\n| `kube-auditing.sinks.doris.table.retentionPartition` | int | 7 | Retention partition |\n| `kube-auditing.sinks.doris.table.replicationNum` | int | 2 | Replication number |\n\n### ISM Policy Parameters\n\n| Parameter | Type | Default | Description |\n|-----------|------|---------|-------------|\n| `kube-auditing.ism_policy.enable` | bool | false | Enable Index State Management policy |\n| `kube-auditing.ism_policy.min_index_age` | string | \"7d\" | Minimum index retention period |\n\n## Audit Query API\n\n### Query Audit Events\n\n```bash\ncurl -X GET \"http://whizard-telemetry-apiserver.extension-whizard-telemetry.svc:80/kapis/logging.kubesphere.io/v1alpha2/auditing?operation=query&sort=desc&size=10&cluster=host\" \\\n  -H \"X-Remote-User: admin\"\n```\n\n**Query Parameters:**\n\n| Parameter | Type | Default | Description |\n|-----------|------|---------|-------------|\n| `operation` | string | query | Operation type: query/statistics/histogram/export |\n| `workspace_filter` | string | | Comma-separated list of workspaces |\n| `workspace_search` | string | | Fuzzy match workspace names |\n| `objectref_namespace_filter` | string | | Comma-separated list of namespaces (ObjectRef.Namespace) |\n| `objectref_namespace_search` | string | | Fuzzy match namespace names |\n| `objectref_name_filter` | string | | Comma-separated list of object names |\n| `objectref_name_search` | string | | Fuzzy match object names |\n| `level_filter` | string | | Audit level: Metadata/Request/RequestResponse |\n| `verb_filter` | string | | Comma-separated list of verbs (create, update, delete, etc.) |\n| `user_filter` | string | | Comma-separated list of users |\n| `user_search` | string | | Fuzzy match username |\n| `group_search` | string | | Fuzzy match user groups |\n| `source_ip_search` | string | | Fuzzy match source IPs |\n| `objectref_resource_filter` | string | | Comma-separated list of resources |\n| `objectref_subresource_filter` | string | | Comma-separated list of subresources |\n| `response_code_filter` | string | | Comma-separated list of response codes |\n| `response_status_filter` | string | | Comma-separated list of response statuses |\n| `start_time` | string | | Start time (seconds since epoch) |\n| `end_time` | string | | End time (seconds since epoch) |\n| `interval` | string | 15m | Time interval for histogram |\n| `sort` | string | desc | Sort order: asc/desc |\n| `from` | int | 0 | Offset |\n| `size` | int | 10 | Number of results |\n| `cluster` | string | host | Cluster name |\n\n## Extension Operations\n\n### Check Extension Status\n\n```bash\nkubectl get installplan whizard-auditing\nkubectl get extensionversions -l kubesphere.io/extension-ref=whizard-auditing\n```\n\n### Uninstall Extension\n\n**Uninstall from all clusters:**\n\n```bash\nkubectl delete installplan whizard-auditing\n```\n\n**Uninstall from specific cluster:**\n\nTo remove WizTelemetry Auditing from a specific cluster, update the InstallPlan by removing that cluster from `clusterScheduling.placement.clusters`:\n\n```yaml\napiVersion: kubesphere.io/v1alpha1\nkind: InstallPlan\nmetadata:\n  name: whizard-auditing\nspec:\n  extension:\n    name: whizard-auditing\n    version: <VERSION>\n  enabled: true\n  upgradeStrategy: Manual\n  clusterScheduling:\n    placement:\n      clusters:\n        - <REMAINING_CLUSTERS>  # Remove the cluster you want to uninstall from\n```","tags":["whizard","auditing","kubesphere","agent-skills","cloud-native","cncf","devops","ebpf","hacktoberfest","kubernetes","llm","multi-cluster"],"capabilities":["skill","source-kubesphere","skill-whizard-auditing","topic-agent-skills","topic-cloud-native","topic-cncf","topic-devops","topic-ebpf","topic-hacktoberfest","topic-kubernetes","topic-kubesphere","topic-llm","topic-multi-cluster","topic-multi-tenancy","topic-observability"],"categories":["kubesphere"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/kubesphere/kubesphere/whizard-auditing","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add kubesphere/kubesphere","source_repo":"https://github.com/kubesphere/kubesphere","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 16920 github stars · SKILL.md body (8,603 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-03T00:52:31.041Z","embedding":null,"createdAt":"2026-04-18T21:53:20.077Z","updatedAt":"2026-05-03T00:52:31.041Z","lastSeenAt":"2026-05-03T00:52:31.041Z","tsv":"'-1':235 '/extension-ref=whizard-auditing':224,858 '/kapis/logging.kubesphere.io/v1alpha2/auditing?operation=query&sort=desc&size=10&cluster=host':632 '/v1alpha1':345,420,480,897 '0':827 '1':108 '1.1':125 '1.2':138 '1.4.0':242,376 '10':831 '15m':814 '2':158,179,200,362,374,437,469,497,593 '7':467,588 '7d':525,615 'actual':332 'add':308 'address':575,580 'admin':638 'age':524,613 'api':19,63,622 'apivers':342,417,477,894 'architectur':58 'asc/desc':824 'ask':166,180 'audit':3,9,17,21,24,38,52,55,61,66,75,77,197,255,281,352,358,405,414,427,433,445,453,487,493,505,513,547,620,624,708,851,871,879,904,910 'auth':387 'avail':110,127,185 'backend':579 'base':263 'bash':129,217,626,845,865 'bool':539,566,604 'check':842 'cluster':111,121,128,132,141,147,153,165,171,186,190,268,272,369,380,452,472,512,528,546,835,838,864,875,883,890,918,921 'clusterschedul':367,470,526,916 'clusterscheduling.placement.clusters':892 'code':775,784 'collect':40,57,79 'comma':655,672,691,715,728,759,769,779,790 'comma-separ':654,671,690,714,727,758,768,778,789 'complet':99,257 'compon':28,68,69 'config':289,298,442,502 'configur':15,49,309,385,400,529 'confirm':113,169,271,379 'creat':720 'critic':115,274,288,325 'curl':627 'd':457,517,554 'data':92 'day':465,583 'default':71,536,563,601,643 'delet':722,867 'depend':83 'deploy':173,195 'desc':821 'descript':70,537,564,602,644 'determin':123,139 'dev':188 'direct':154 'dori':407,411,458,558,569,573,578 'e.g':241,375 'enabl':72,363,406,410,438,448,459,473,498,508,520,541,568,606,912 'end':231,804,807 'endpoint':386 'epoch':803,811 'etc':723 'event':39,56,67,78,625 'exact':300 'explicit':144 'export':81 'extens':10,27,53,354,393,429,489,840,843,860,906 'extensionvers':220,854 'fals':567,605 'fe':461 'field':290,310 'filter':652,669,688,706,712,725,756,766,776,787 'format':293,557 'frontend':574 'fuzzi':663,682,701,736,742,750 'generat':105 'get':109,126,131,201,213,219,629,847,853 'group':739,745 'h':633 'hierarchi':324 'histogram':818 'host':187,837 'import':256 'includ':13 'index':450,510,523,548,555,607,612,617 'instal':14,47,96,253,398,404 'installplan':106,252,275,347,422,482,848,868,886,899 'int':587,592,826,830 'interv':812,816 'ip':747,753 'ism':474,518,596 'item':135,228 'jsonpath':134,226 'kind':346,421,481,898 'kube':74,444,504 'kube-audit':73,443,503 'kube-auditing.ism_policy.enable':603 'kube-auditing.ism_policy.min':611 'kube-auditing.sinks.doris.be':576 'kube-auditing.sinks.doris.enabled':565 'kube-auditing.sinks.doris.fe':571 'kube-auditing.sinks.doris.table.partitionunit':581 'kube-auditing.sinks.doris.table.replicationnum':591 'kube-auditing.sinks.doris.table.retentionpartition':586 'kube-auditing.sinks.opensearch.enabled':538 'kube-auditing.sinks.opensearch.index.prefix':544 'kube-auditing.sinks.opensearch.index.timestring':550 'kubectl':130,218,846,852,866 'kubernet':35,76 'kubespher':12,31,37 'kubesphere.io':223,344,419,479,857,896 'kubesphere.io/extension-ref=whizard-auditing':222,856 'kubesphere.io/v1alpha1':343,418,478,895 'l':221,855 'latest':202,215,239 'leav':336 'level':705,709 'list':657,674,693,717,730,761,771,781,792 'll':247 'm':456,516,553 'make':394 'manag':609 'manual':366,441,501,915 'match':664,683,702,737,743,751 'metadata':348,423,483,900 'metadata.name':136,276 'metadata/request/requestresponse':710 'min':522 'minimum':616 'modifi':320 'must':209,277,295,328 'n':230 'name':273,287,349,355,381,424,430,484,490,666,685,687,696,698,704,839,901,907 'namespac':668,676,679,684 'note':243,382 'number':595,832 'o':133,225 'object':695,703 'objectref':667,678,686,697,754,764 'objectref.namespace':677 'observ':32 'offset':828 'opensearch':383,402,447,507,531,542 'oper':645,648,841 'order':103,823 'output':237 'overview':22 'paramet':530,533,534,560,561,598,599,640,641 'partit':584,590 'partitionunit':464 'period':619 'pipelin':93 'placehold':327,339,371 'placement':368,471,527,917 'platform':33,85 'polici':475,519,597,610 'prefix':451,511,549 'prerequisit':97,258 'proceed':118,155,176 'process':41 'provid':206,389 'queri':18,62,65,621,623,639,647 'query/statistics/histogram/export':650 'rang':227 'remot':636 'remov':877,888,919 'replac':330,370 'replic':594 'replicationnum':468 'request':150 'requir':90,95,98 'resourc':755,763 'respons':774,783,785,794 'result':834 'retent':589,618 'retentionpartit':466 'search':661,680,699,734,740,748 'second':801,809 'select':266 'separ':656,673,692,716,729,760,770,780,791 'servic':86 'shown':302,314 'sinc':802,810 'sink':384,408,412,446,506,532,543,559,570 'size':829 'skill' 'skill-whizard-auditing' 'sort':232,819,822 'sourc':746,752 'source-kubesphere' 'spec':353,428,488,905 'spec.version':229 'specif':874,882 'specifi':145,163,184 'start':796,799 'state':608 'status':786,795,844 'step':101,107,124,137,157,178,199,259,262,361,373,436,496 'storag':43,415 'string':545,551,572,577,582,614,646,653,662,670,681,689,700,707,713,726,735,741,749,757,767,777,788,798,806,813,820,836 'structur':299,322 'subresourc':765,773 'sure':395 'tabl':463 'tail':234 'target':114,120,140,146,164,267 'telemetri':89 'templat':305,317,340 'time':556,797,800,805,808,815 'timestr':454,514 'topic-agent-skills' 'topic-cloud-native' 'topic-cncf' 'topic-devops' 'topic-ebpf' 'topic-hacktoberfest' 'topic-kubernetes' 'topic-kubesphere' 'topic-llm' 'topic-multi-cluster' 'topic-multi-tenancy' 'topic-observability' 'true':82,364,439,449,460,499,509,521,540,913 'type':535,562,600,642,649 'understand':54 'uninstal':859,861,872,925 'unit':585 'updat':721,884 'upgradestrategi':365,440,500,914 'use':4,46,59,151,248,284,296 'user':143,160,167,181,208,270,378,637,724,732,733,744 'user-confirm':269,377 'usernam':738 'v':233 'valu':333 'vector':94,392,396 'verb':711,719 'version':203,216,240,359,434,494,911 'want':193,923 'whizard':2,88,280,351,357,426,432,486,492,850,870,903,909 'whizard-audit':1,279,350,356,425,431,485,491,849,869,902,908 'whizard-telemetri':87 'whizard-telemetry-apiserver.extension-whizard-telemetry.svc:80':631 'whizard-telemetry-apiserver.extension-whizard-telemetry.svc:80/kapis/logging.kubesphere.io/v1alpha2/auditing?operation=query&sort=desc&size=10&cluster=host':630 'wiztelemetri':8,20,23,51,84,91,196,254,878 'work':6 'workspac':651,659,660,665 'x':628,635 'x-remote-us':634 'y':455,515,552 'yaml':292,341,416,476,893","prices":[{"id":"261c608a-1f1f-484b-bc98-0faf9a0732cd","listingId":"44311560-afe1-487e-a711-317d98e1c1a6","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"kubesphere","category":"kubesphere","install_from":"skills.sh"},"createdAt":"2026-04-18T21:53:20.077Z"}],"sources":[{"listingId":"44311560-afe1-487e-a711-317d98e1c1a6","source":"github","sourceId":"kubesphere/kubesphere/whizard-auditing","sourceUrl":"https://github.com/kubesphere/kubesphere/tree/master/skills/whizard-auditing","isPrimary":false,"firstSeenAt":"2026-04-18T21:53:20.077Z","lastSeenAt":"2026-05-03T00:52:31.041Z"}],"details":{"listingId":"44311560-afe1-487e-a711-317d98e1c1a6","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"kubesphere","slug":"whizard-auditing","github":{"repo":"kubesphere/kubesphere","stars":16920,"topics":["agent-skills","ai","cloud-native","cncf","devops","ebpf","hacktoberfest","kubernetes","kubesphere","llm","multi-cluster","multi-tenancy","observability","servicemesh","skills","skills-sh","skillsmp"],"license":"other","html_url":"https://github.com/kubesphere/kubesphere","pushed_at":"2026-04-27T06:10:27Z","description":"The container platform tailored for Kubernetes multi-cloud, datacenter, and edge management ⎈ 🖥 ☁️","skill_md_sha":"39e2efebbd79c4dfe492ad7c983f99dcdd484500","skill_md_path":"skills/whizard-auditing/SKILL.md","default_branch":"master","skill_tree_url":"https://github.com/kubesphere/kubesphere/tree/master/skills/whizard-auditing"},"layout":"multi","source":"github","category":"kubesphere","frontmatter":{"name":"whizard-auditing","description":"Use when working with WizTelemetry Auditing extension for KubeSphere, including installation, configuration, and audit query API"},"skills_sh_url":"https://skills.sh/kubesphere/kubesphere/whizard-auditing"},"updatedAt":"2026-05-03T00:52:31.041Z"}}