Skip to content

#2857: Add Request UID to JSON log enricher to correlate container and API Server Audit log #2878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 20, 2025
Merged

#2857: Add Request UID to JSON log enricher to correlate container and API Server Audit log #2878

merged 1 commit into from
Jun 20, 2025

Conversation

ngopalak-redhat
Copy link
Contributor

@ngopalak-redhat ngopalak-redhat commented Jun 10, 2025
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR addresses an issue with JSON Log Enricher: the inability to correlate in logs generated from kubectl exec sessions with the API Server Audit Logs. This information is required to find the end-user who executed a command on the pod/container.

Problem
Kubernetes, by default, does not pass user authentication details and request details (request UID) from the API server into the container's environment when a user runs kubectl exec. This means JSON logs for exec sessions lack context about who initiated the command. When there are multiple users doing kubectl exec requests and the audit log for the API Server is enabled, its not possible to correlate the server side audit log and the container audit log.

Solution
This PR introduces a mutating admission webhook designed to inject the request ID directly into the environment variables of containers targeted by kubectl exec requests. Sufficient checks are placed to ensure that the user cannot override them. The request ID is also added as a Audit annotation of the API server audit log.

How it Works

When a user initiates an kubectl exec command, the request is intercepted by the new mutating webhook (execmetadata.spo.io).
The webhook adds environment variable (EXEC_REQUEST_UID) to the exec command. This environment variables is then available to the process running inside the container (e.g., JSON Log Enricher), accessible via /proc/pid/environ.
JSON Log Enricher is updated to read and incorporate this injected request ID into the log lines.

Which issue(s) this PR fixes:

Fixes #2857

Does this PR have test?

Yes. Added e2e and unit tests

Special notes for your reviewer:

Initial PR was raised to inject the User information. Since there are concerns of PII now only the request UID is injected. Also made the webhook optional.
@haircommander / @ccojocar Sorry for the change in the title. It was required to provide clarity on exact change.

Does this PR introduce a user-facing change?

Add Request UID to JSON log enricher to correlate container and API Server Audit log

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jun 10, 2025
@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 10, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @ngopalak-redhat. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Jun 10, 2025
@codecov-commenter
Copy link

codecov-commenter commented Jun 10, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 57.71812% with 126 lines in your changes missing coverage. Please review.

Project coverage is 24.72%. Comparing base (11d77f4) to head (5befed7).
Report is 881 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #2878       +/-   ##
===========================================
- Coverage   45.50%   24.72%   -20.78%     
===========================================
  Files          79      120       +41     
  Lines        7782    20733    +12951     
===========================================
+ Hits         3541     5126     +1585     
- Misses       4099    15353    +11254     
- Partials      142      254      +112
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jun 10, 2025
@ngopalak-redhat ngopalak-redhat force-pushed the ngopalak/user_webhook_new branch 5 times, most recently from 699dafa to 09db057 Compare June 10, 2025 10:33
@ngopalak-redhat ngopalak-redhat changed the title Work In Progress : Created for running e2eTests - Draft #2857: Add end-user information to JSON log enricher Jun 10, 2025
@ngopalak-redhat ngopalak-redhat marked this pull request as ready for review June 10, 2025 10:34
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 10, 2025
@ngopalak-redhat
Copy link
Contributor Author

/assign @haircommander @ccojocar

@ngopalak-redhat ngopalak-redhat mentioned this pull request Jun 10, 2025
Closed
@ccojocar
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 10, 2025
ccojocar
ccojocar reviewed Jun 10, 2025
View reviewed changes
Copy link
Contributor

@ccojocar ccojocar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In which context is this feature useful? Isn't the binary enough, and maybe container ID?

I am not sure if we should add an additional webhook into the deployment just to inject some additional user information into the logs.

haircommander
haircommander reviewed Jun 10, 2025
View reviewed changes
haircommander
haircommander reviewed Jun 10, 2025
View reviewed changes
@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jun 16, 2025
@ngopalak-redhat
Copy link
Contributor Author

Thanks for reworking this implementation. I just left a few minor comments. It would be nice if you could address them before we merge this.

Thanks for the review @ccojocar . I have addressed the comments.

@ngopalak-redhat ngopalak-redhat requested a review from ccojocar June 16, 2025 12:22
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 16, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ccojocar, ngopalak-redhat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 16, 2025
haircommander
haircommander reviewed Jun 16, 2025
View reviewed changes
@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Jun 16, 2025
@ngopalak-redhat ngopalak-redhat force-pushed the ngopalak/user_webhook_new branch from 2d00080 to 68aca49 Compare June 16, 2025 14:57
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 17, 2025
@ngopalak-redhat ngopalak-redhat force-pushed the ngopalak/user_webhook_new branch from 68aca49 to 7d8db93 Compare June 17, 2025 15:32
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 17, 2025
@ccojocar
Copy link
Contributor

This needs a rebase. I am not sure if it is ready to be merged? Thanks

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 18, 2025
@ngopalak-redhat ngopalak-redhat force-pushed the ngopalak/user_webhook_new branch from 7d8db93 to 572057d Compare June 19, 2025 00:58
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 19, 2025
@ngopalak-redhat
Copy link
Contributor Author

This needs a rebase. I am not sure if it is ready to be merged? Thanks

Thanks @ccojocar I have done the rebase. I'm waiting for @haircommander to unhold to the merge.

@ccojocar
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 19, 2025
@haircommander
Copy link

I think you need a rebase @ngopalak-redhat but
/unhold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 20, 2025
@ngopalak-redhat ngopalak-redhat force-pushed the ngopalak/user_webhook_new branch from 572057d to 5befed7 Compare June 20, 2025 17:17
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 20, 2025
@haircommander
Copy link

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 20, 2025
@k8s-ci-robot k8s-ci-robot merged commit a0d8d4a into kubernetes-sigs:main Jun 20, 2025
32 of 33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ccojocar ccojocar ccojocar approved these changes

@Vincent056 Vincent056 Awaiting requested review from Vincent056

@haircommander haircommander Awaiting requested review from haircommander

Assignees

@ccojocar ccojocar

@haircommander haircommander

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add end user information to In-Pod Activity logs
5 participants
@ngopalak-redhat @k8s-ci-robot @codecov-commenter @ccojocar @haircommander