We're looking at what can be spoofed or is unreliable in Kubernetes audit logs
Audit ID can be specified by the client, so it's not reliable. GH Issue is here
curl -H 'Audit-ID: Lorem' http://127.0.0.1:8001/api/v1/pods/
This will result in the audit record having the AuditID Lorem
.
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"Lorem","stage":"RequestReceived","requestURI":"/api/v1/pods/","verb":"list","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1","172.18.0.1"],"userAgent":"curl/7.81.0","objectRef":{"resource":"pods","apiVersion":"v1"},"requestReceivedTimestamp":"2023-10-01T09:25:13.742237Z","stageTimestamp":"2023-10-01T09:25:13.742237Z"}
You can add X-Forwarded-For
headers to the request, and the audit log will contain them.
curl -H 'Audit-ID: Lorem' -H 'X-Forwarded-For: 8.8.8.8' http://127.0.0.1:8001/api/v1/pods/
This will result in
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"Lorem","stage":"ResponseComplete","requestURI":"/api/v1/pods/","verb":"list","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["8.8.8.8","127.0.0.1","172.18.0.1"],"userAgent":"curl/7.81.0","objectRef":{"resource":"pods","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-10-01T09:28:15.307641Z","stageTimestamp":"2023-10-01T09:28:15.313353Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
You can also use X-Real-IP
headers
curl -H 'Audit-ID: Lorem' -H 'X-Forwarded-For: 8.8.8.8' -H 'X-Real-Ip: 1.1.1.1' http://127.0.0.1:8001/api/v1/pods/
results in
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"Lorem","stage":"ResponseComplete","requestURI":"/api/v1/pods/","verb":"list","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["8.8.8.8","127.0.0.1","1.1.1.1","172.18.0.1"],"userAgent":"curl/7.81.0","objectRef":{"resource":"pods","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-10-01T09:31:36.617125Z","stageTimestamp":"2023-10-01T09:31:36.620628Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
This isn't directly unreliable in that it can be spoofed with headers, however the Audit log does not specify the source of the authenticating credential or any unique fingerprint of the credential, meaning that if there are multiple credentials with the same username, it's not possible to tell which one was used.