Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit-logs compatibility between k8s default logs and our audit-logs schema. #31

Open
chintansakhiya opened this issue Jan 17, 2025 · 0 comments
Open

Audit-logs compatibility between k8s default logs and our audit-logs schema. #31

chintansakhiya opened this issue Jan 17, 2025 · 0 comments
Labels
documentation Improvements or additions to documentation

Comments

@chintansakhiya
Copy link
Member

chintansakhiya commented Jan 17, 2025
edited
Loading

default k8s audit logs

{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"auditID": "02d3a5ac-3322-4a8e-b608-e492302244d1",
"stage": "ResponseComplete",
"requestURI": "/p-3/api/v1/namespaces/karpor/pods/karpor-syncer-587dbc5f94-n6qzm",
"verb": "delete",
"user": {
        "username": "[email protected]",
        "uid": "f4e597b8-98b2-4d59-8aee-53811b4db1b8",
        "groups": [
                "p-3:devops:karpor",
                "p-3:developer:uptime-kuma"
        ],
        "extra": {
                "authentication.kubernetes.io/credential-id": [
                        "JTI=b91ccabd-46c5-49f3-bc21-5554dd8d9fe4"
                ]
        }
},
"sourceIPs": [
        "127.0.0.1"
],
"userAgent": "k9s/v0.0.0 (linux/amd64) kubernetes/$Format",
"responseStatus": {
        "metadata": {},
        "code": 200
},
"requestReceivedTimestamp": "2025-01-15T13:07:53.378867Z",
"stageTimestamp": "2025-01-15T13:07:53.388951Z"
}

kube-oidc-proxy audit logs formet

{
    "id": 1,
    "cluster_name": "p-3",
    "email": "[email protected]",
    "uid": "f4e597b8-98b2-4d59-8aee-53811b4db1b8",
    "groups": [
        "p-3:devops:karpor",
        "p-3:developer:uptime-kuma"
    ],
    "extra": {
        "authentication.kubernetes.io/credential-id": [
            "JTI=0b4607f7-024e-42ba-a217-b7e120980cc9"
        ]
    },
    "is_resource_request": true,
    "request_path": "/api/v1/namespaces/uptime-kuma/pods",
    "verb": "list",
    "api_prefix": "api",
    "api_group": "",
    "api_version": "v1",
    "namespace": "uptime-kuma",
    "resource": "pods",
    "sub_resource": "",
    "name": "",
    "parts": [
        "pods"
    ],
    "field_selector": "",
    "label_selector": "",
    "request_body": {},
    "created_at": "2025-01-09 10:20:28.317979"
}

Similarities

  1. User Information:

    • Kubernetes default logs use objects to store user details when the proxy stores those details in separate fields.
    • Kubernetes default logs (user object) and kube-oidc-proxy logs (email, uid, and groups) both provide user-related details, including:
      • Email/User ID (username/email)
      • UID (uid)
      • Groups (groups)
      • Extra attributes (extra)

  2. Request Metadata:

    • Request URI/Path:
      • Kubernetes logs: requestURI
      • kube-oidc-proxy: request_path
    • Verb (Action):
      • Kubernetes logs: verb
      • kube-oidc-proxy: verb
    • Both formats capture whether the request is for a specific resource (is_resource_request in kube-oidc-proxy).

  3. Namespace & Resource:

    • Kubernetes includes this indirectly in requestURI.
    • kube-oidc-proxy explicitly separates these (namespace, resource, and sub_resource).

  4. Timestamps:

    • Kubernetes: requestReceivedTimestamp, stageTimestamp.
    • kube-oidc-proxy: No explicit timestamps, but they could be inferred from the log output system.

Differences

  1. Log Format Granularity:

    • Kubernetes logs are general and encapsulate the entire request and response lifecycle, including stage and responseStatus.
    • kube-oidc-proxy logs are more granular, focusing on API request parsing, such as api_prefix, api_group, api_version, and selectors (field_selector, label_selector).

  2. User Agent:

    • Kubernetes: Captured as userAgent.
    • kube-oidc-proxy: Missing.

  3. Response Details:

    • Kubernetes: responseStatus includes the HTTP response code (e.g., 200).
    • kube-oidc-proxy: Does not log response details, focusing solely on the request.

  4. Cluster Context:

    • Kubernetes: Does not log cluster_name.
    • kube-oidc-proxy: Includes cluster_name for multi-cluster environments.

Compatibility Considerations

  • Mapping Fields:

    • Most fields can be mapped directly:
      • usernameemail
      • uiduid
      • groupsgroups
      • requestURIrequest_path
      • verbverb
    • Additional parsing would be required for:
      • Extracting namespace, resource, and sub_resource from requestURI.

  • Missing Fields in proxy:

    • responseStatus
    • sourceIPs
    • userAgent
    • kind
    • level
    • stage

  • Response Data:

    • Kubernetes logs include responseStatus, while kube-oidc-proxy does not. If response tracking is required, kube-oidc-proxy logs would need enhancements.
@Bhoomiz01 Bhoomiz01 changed the title audit-logs compatibility Audit-logs compatibility between k8s default logs and our audit-logs schema. Jan 17, 2025
@Bhoomiz01 Bhoomiz01 added the documentation Improvements or additions to documentation label Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Bhoomiz01 @chintansakhiya