Skip to content

raesene/k8s_audit

Repository files navigation

k8s_audit

We're looking at what can be spoofed or is unreliable in Kubernetes audit logs

Information sources

Audit ID

Audit ID can be specified by the client, so it's not reliable. GH Issue is here

curl -H 'Audit-ID: Lorem' http://127.0.0.1:8001/api/v1/pods/

This will result in the audit record having the AuditID Lorem.

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"Lorem","stage":"RequestReceived","requestURI":"/api/v1/pods/","verb":"list","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1","172.18.0.1"],"userAgent":"curl/7.81.0","objectRef":{"resource":"pods","apiVersion":"v1"},"requestReceivedTimestamp":"2023-10-01T09:25:13.742237Z","stageTimestamp":"2023-10-01T09:25:13.742237Z"}

Source IPs

You can add X-Forwarded-For headers to the request, and the audit log will contain them.

curl -H 'Audit-ID: Lorem' -H 'X-Forwarded-For: 8.8.8.8' http://127.0.0.1:8001/api/v1/pods/

This will result in

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"Lorem","stage":"ResponseComplete","requestURI":"/api/v1/pods/","verb":"list","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["8.8.8.8","127.0.0.1","172.18.0.1"],"userAgent":"curl/7.81.0","objectRef":{"resource":"pods","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-10-01T09:28:15.307641Z","stageTimestamp":"2023-10-01T09:28:15.313353Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

You can also use X-Real-IP headers

curl -H 'Audit-ID: Lorem' -H 'X-Forwarded-For: 8.8.8.8' -H 'X-Real-Ip: 1.1.1.1' http://127.0.0.1:8001/api/v1/pods/

results in

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"Lorem","stage":"ResponseComplete","requestURI":"/api/v1/pods/","verb":"list","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["8.8.8.8","127.0.0.1","1.1.1.1","172.18.0.1"],"userAgent":"curl/7.81.0","objectRef":{"resource":"pods","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-10-01T09:31:36.617125Z","stageTimestamp":"2023-10-01T09:31:36.620628Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

User & Group

This isn't directly unreliable in that it can be spoofed with headers, however the Audit log does not specify the source of the authenticating credential or any unique fingerprint of the credential, meaning that if there are multiple credentials with the same username, it's not possible to tell which one was used.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published