etcd maintenance operations auditing#
The etcd maintenance service audits every maintenance attempt, recording when it ran and whether it succeeded. Auditing cannot be disabled.
What the audit includes#
The etcd maintenance service writes one record per completed operation, capturing both successes and failures:
- One record is written each time a cluster defragmentation completes, whether it succeeds or fails.
- One record is written each time a Kubernetes event cleanup completes, whether it succeeds or fails. Dry-run cleanups are intentionally not audited.
Where the records are stored#
Audit records are written into the etcd cluster that is being maintained, as JSON values under append-only key prefixes:
- Defragmentation:
/mke4k/audit/defrag/ - Cleanup:
/mke4k/audit/cleanup/
Each record is stored under a unique key of the form
<prefix>/<timestamp>-<nodeID>-<uuid>, where <timestamp> is an RFC3339 value
and <uuid> is a randomly generated identifier. Thus, records accumulate as a
durable history rather than overwriting one another, and they are sorted
chronologically by key.
Record schema#
Each record is a JSON object with the following fields:
| Field | Type | Description |
|---|---|---|
timestamp |
string | The time at which the operation completed, in RFC3339 format and UTC. |
node_id |
string | The node associated with the operation. For defragmentation, this is the leader node that coordinated the operation; for cleanup, it is the node that ran it. |
outcome |
string | Either success or failure. |
error_detail |
string | The error message. Present only when outcome is failure. |
Example records:
// key: /mke4k/audit/defrag/2026-04-07T20:35:30Z-leader-1-<uuid>
{"timestamp":"2026-04-07T20:35:30Z","node_id":"leader-1","outcome":"success"}
// key: /mke4k/audit/cleanup/2026-04-07T20:36:30Z-node-a-<uuid>
{"timestamp":"2026-04-07T20:36:30Z","node_id":"node-a","outcome":"failure","error_detail":"cleanup failed"}
Read audit records#
No API or user interface exists for audit data. To read the records, use etcdctl to query
etcd directly from a controller node:
-
Connect to any controller node in the cluster with SSH:
ssh -i <path_to_ssh_key> user@<controller_node_ip> -
Query the audit prefixes.
Use
etcdctlwith the--prefixflag to retrieve all records under either prefix, supplying the endpoint and TLS credentials appropriate to your environment:etcdctl get /mke4k/audit/defrag/ --prefix etcdctl get /mke4k/audit/cleanup/ --prefix
Because keys sort chronologically, the results are returned in the order in which the operations ran.
Limitations#
Be aware of the following constraints when you rely on audit data:
- Retention is governed by etcd compaction, not by the maintenance service. The
service applies no pruning, time-to-live (TTL), or rotation of its own. To
preserve audit history, you must configure etcd with a sufficiently long
auto-compaction retention — for example, through
--auto-compact-retention. etcd cannot exclude specific key prefixes from compaction. - Because the records live inside the maintained etcd cluster, they are lost if etcd is reset or restored without the keys.
- Auditing is best-effort. A failed audit write logs a warning only and never causes the maintenance operation itself to fail.
- No audit record is written for dry-run cleanups.