Kubernetes audit logs suffer from contextual incompleteness, event fragmentation, and noisy redundancy, hindering causal traceability of complex multi-step operations. To address this, we propose K8NTEXT—a novel framework that introduces a dynamic context correlation mechanism integrating deterministic inference rules with lightweight machine learning. K8NTEXT captures raw audit events via API server audit hooks, then applies temporal behavioral modeling and event graph construction to automatically identify, annotate, and cluster cascading API calls triggered by user actions, enabling semantically consistent end-to-end context reconstruction. Our approach supports traceability across >100 sequential steps; in multi-scenario evaluations, it achieves >95% context reconstruction accuracy while maintaining high-throughput, real-time processing capability. K8NTEXT significantly enhances security auditing, fault root-cause analysis, and regulatory compliance assessment in production Kubernetes environments.

Kubernetes has emerged as the de facto orchestrator of microservices, providing scalability and extensibility to a highly dynamic environment. It builds an intricate and deeply connected system that requires extensive monitoring capabilities to be properly managed. To this account, K8s natively offers audit logs, a powerful feature for tracking API interactions in the cluster. Audit logs provide a detailed and chronological record of all activities in the system. Unfortunately, K8s auditing suffers from several practical limitations: it generates large volumes of data continuously, as all components within the cluster interact and respond to user actions. Moreover, each action can trigger a cascade of secondary events dispersed across the log, with little to no explicit linkage, making it difficult to reconstruct the context behind user-initiated operations. In this paper, we introduce K8NTEXT, a novel approach for streamlining K8s audit logs by reconstructing contexts, i.e., grouping actions performed by actors on the cluster with the subsequent events these actions cause. Correlated API calls are automatically identified, labeled, and consistently grouped using a combination of inference rules and a Machine Learning model, largely simplifying data consumption. We evaluate K8NTEXT's performance, scalability, and expressiveness both in systematic tests and with a series of use cases. We show that it consistently provides accurate context reconstruction, even for complex operations involving 50, 100 or more correlated actions, achieving over 95 percent accuracy across the entire spectrum, from simple to highly composite actions.