website
website copied to clipboard
kubernetes
Document the credential ID field returned in audit logs
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign katcosgrove for approval. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
Deploy Preview for kubernetes-io-vnext-staging processing.
| Name | Link |
|---|---|
| Latest commit | ee5b6cb4e91535ff8afa9d3965cee2100c0fb44f |
| Latest deploy log | https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/66cf752677517300088bdeda |
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Pull request preview available for checking
Built without sensitive environment variables
| Name | Link |
|---|---|
| Latest commit | ee5b6cb4e91535ff8afa9d3965cee2100c0fb44f |
| Latest deploy log | https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/66cf75265b038f000823670b |
| Deploy Preview | https://deploy-preview-47715--kubernetes-io-main-staging.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
I agree with @sftim that this feels out of place on this page. Currently this page is for possible annotations that can appear in the annotations field of the Event object in the audit.k8s.io group. The credential-id key:value pair doesn't appear in that field, it appears in the user.extra field as part of the additional information provided by the authenticator.
My suggestions (feel free to ignore):
At minimum IMO this new key:value pair should appear in the description of the extra field in the API reference for the UserInfo object: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#userinfo-v1-authentication-k8s-io
Also an update to https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ to add a section that covers what you can expect to see, like:
Information displayed in audit logs
Any event that the cluster retains as an audit log shows at least the following information for each entry:
- Information about the audit log entry, including the following:
- Audit record ID
- Audit level
- Information about the originating request, including the following:
- Request handling stage
- Request URI
- Kubernetes verb associated with the request, or HTTP method for non-resource requests
- Information about the user, including the following:
- User name
- User UID
- User groups
- Authenticating credential ID
Additional information is displayed in the log entry depending on the type of request and the audit level. For more details, see kube-apiserver Audit Configuration (v1).
Information about the authenticating credential
The user information in the audit record displays the ID of the credential that was used to authenticate the request in the
user.extra field of the audit log entry as a key:value pair with the
authentication.k8s.io/credential-id key and one of the following values:
-
X.509 certificates: the SHA256 hash of the certificate. For example,
"user":{ "username":"human-user", "groups":["system:authenticated"], "extra":{ "authentication.k8s.io/credential-id":"X509SHA256=<SHA256-hash>" } }, -
Service accounts: the JTI claim embedded in the service account token. For example:
"user":{ "username":"serviceaccount:example-ksa", "groups":["serviceaccounts"], "extra":{ "authentication.k8s.io/credential-id":"JTI=<JTI-claim>" } },
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the PR is closed
You can:
- Mark this PR as fresh with
/remove-lifecycle stale - Close this PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the PR is closed
You can:
- Mark this PR as fresh with
/remove-lifecycle rotten - Close this PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the PR is closed
You can:
- Reopen this PR with
/reopen - Mark this PR as fresh with
/remove-lifecycle rotten - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close
@k8s-triage-robot: Closed this PR.
In response to this:
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied- After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied- After 30d of inactivity since
lifecycle/rottenwas applied, the PR is closedYou can:
- Reopen this PR with
/reopen- Mark this PR as fresh with
/remove-lifecycle rotten- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.