In a kubernetes cluster I am trying to understand how the kubectl exec is used by the users. Users are exec'ing into which pods in which namespaces? What is the best way to discover that?
I think the audit logs are a good starting point but I am not sure whether I would find what I am looking for there.
Yes, the pod/exec request is tracked just like any other request in the audit log, and it even appears to track the command issued (although that won't be as helpful if the command is just sh or bash)
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Request",
"auditID": "0f5bcb21-ef16-443e-bca2-1d26209207b9",
"stage": "ResponseStarted",
"requestURI": "/api/v1/namespaces/kube-system/pods/sample-647b485b68-4tc9h/exec?command=ps&command=auwx&container=sample&stderr=true&stdout=true",
"verb": "create",
"user": {
"username": "kubernetes-admin",
"groups": [
"system:masters",
"system:authenticated"
]
},
"sourceIPs": [
"10.128.4.90"
],
"userAgent": "kubectl/v1.19.2 (linux/amd64) kubernetes/f574309",
"objectRef": {
"resource": "pods",
"namespace": "kube-system",
"name": "sample-647b485b68-4tc9h",
"apiVersion": "v1",
"subresource": "exec"
},
"responseStatus": {
"metadata": {},
"code": 101
},
"requestReceivedTimestamp": "2020-10-06T16:06:48.205785Z",
"stageTimestamp": "2020-10-06T16:06:48.258680Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
}
}
