EKS Control Plane Logging Discipline

Control plane logs reveal cluster issues. The logs to enable, the cost trade-off, and what each catches.

Available logs

API server: every API call. High volume; high value.

Audit: who did what when. Required for compliance.

Authenticator: auth failures. Catches bad-actor activity.

Controller manager and Scheduler: lower-level cluster behaviour.

Cost trade-off

Each log type adds cost. API server is the most expensive at scale.

Production: enable all. Non-prod: API + audit minimum.

Retention

30 days hot. 1 year cold for compliance.

Query patterns dictate retention; tune by usage.