security-profiles-operator icon indicating copy to clipboard operation
security-profiles-operator copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

#2857: Add Request UID to JSON log enricher to correlate container and API Server Audit log

Open ngopalak-redhat opened this issue 5 months ago • 8 comments
trafficstars

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR addresses an issue with JSON Log Enricher: the inability to correlate in logs generated from kubectl exec sessions with the API Server Audit Logs. This information is required to find the end-user who executed a command on the pod/container.

Problem Kubernetes, by default, does not pass user authentication details and request details (request UID) from the API server into the container's environment when a user runs kubectl exec. This means JSON logs for exec sessions lack context about who initiated the command. When there are multiple users doing kubectl exec requests and the audit log for the API Server is enabled, its not possible to correlate the server side audit log and the container audit log.

Solution This PR introduces a mutating admission webhook designed to inject the request ID directly into the environment variables of containers targeted by kubectl exec requests. Sufficient checks are placed to ensure that the user cannot override them. The request ID is also added as a Audit annotation of the API server audit log.

How it Works

When a user initiates an kubectl exec command, the request is intercepted by the new mutating webhook (execmetadata.spo.io). The webhook adds environment variable (EXEC_REQUEST_UID) to the exec command. This environment variables is then available to the process running inside the container (e.g., JSON Log Enricher), accessible via /proc/pid/environ. JSON Log Enricher is updated to read and incorporate this injected request ID into the log lines.

Which issue(s) this PR fixes:

Fixes #2857

Does this PR have test?

Yes. Added e2e and unit tests

Special notes for your reviewer:

Initial PR was raised to inject the User information. Since there are concerns of PII now only the request UID is injected. Also made the webhook optional. @haircommander / @ccojocar Sorry for the change in the title. It was required to provide clarity on exact change.

Does this PR introduce a user-facing change?

Add Request UID to JSON log enricher to correlate container and API Server Audit log

ngopalak-redhat avatar Jun 10 '25 02:06 ngopalak-redhat