Details
-
Feature Request
-
Resolution: Done
-
Normal
-
None
-
openshift-4.10.z
-
None
-
False
-
None
-
False
-
Not Selected
-
0
-
0%
Description
When looking at the apiserver audit logs, the SourceIPs field isn't always properly populated with the client source IP. For completeness, this is the command I use to look at events from my own user account:
Console Login captures the source IP:
~~~
for i in $(oc get nodes -l
node-role.kubernetes.io/master=
"" | awk '{print $1}' | grep -v -e "NAME"); do oc adm node-logs $i --path=openshift-apiserver/audit.log | jq 'select(.user.username == "
user@example.com
")'; done ``` Actions that are done from the openshift console will contain our office source IP: ``` { "kind": "Event", "apiVersion": "
", "level": "Metadata", "auditID": "59db43ee-0344-46ec-a050-864bd747ab43", "stage": "ResponseComplete", "requestURI": "/apis/
project.openshift.io/v1/projects/<redacted>
", "verb": "get", "user": { "username": "
user@example.com
", "groups": [ "system:authenticated:oauth", "system:authenticated" ], "extra":
{ " [scopes.authorization.openshift.io|https://scopes.authorization.openshift.io/] ": [ "user:full" ] }}, "sourceIPs": [ "213.10<REDACTED>", "10.x.x.x", "10.xx.xx.xx", "10x.x.x.x" ], "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36", "objectRef":
{ "resource": "projects", "namespace": "<redacted>", "name": "<redacted>", "apiGroup": " [project.openshift.io|https://project.openshift.io/] ", "apiVersion": "v1" }, "responseStatus": { "metadata": {}, "code": 200 }, "requestReceivedTimestamp": "2023-03-16T10:34:57.585655Z", "stageTimestamp": "2023-03-16T10:34:57.600637Z", "annotations":
{ " [authorization.k8s.io/decision|https://authorization.k8s.io/decision] ": "allow", " [authorization.k8s.io/reason|https://authorization.k8s.io/reason] ": "RBAC: allowed by ClusterRoleBinding \"cluster-admin-11\" of ClusterRole \"cluster-admin\" to User \" user@example.com \"" }} ```
~~~
However, when I log in using oc and run a command.
The source IP is missing, it is only capturing the Master Node IPs.
~~~
``` { "kind": "Event", "apiVersion": "
", "level": "Metadata", "auditID": "8d6b9d3c-c309-4bd7-b1e1-bd0e34f9821b", "stage": "ResponseComplete", "requestURI": "/apis/
project.openshift.io/v1/projects
", "verb": "list", "user": { "username": "
user@example.com
", "groups": [ "system:authenticated:oauth", "system:authenticated" ], "extra":
{ " [scopes.authorization.openshift.io|https://scopes.authorization.openshift.io/] ": [ "user:full" ] }}, "sourceIPs": [ "10.200.xxx.xxx", "10.x.x.x" ], "userAgent": "oc/4.12.0 (darwin/arm64) kubernetes/3c85519", "objectRef":
{ "resource": "projects", "apiGroup": " [project.openshift.io|https://project.openshift.io/] ", "apiVersion": "v1" }, "responseStatus": { "metadata": {}, "code": 200 }, "requestReceivedTimestamp": "2023-03-16T10:34:06.900718Z", "stageTimestamp": "2023-03-16T10:34:06.913690Z", "annotations":
{ " [authorization.k8s.io/decision|https://authorization.k8s.io/decision] ": "allow", " [authorization.k8s.io/reason|https://authorization.k8s.io/reason] ": "RBAC: allowed by ClusterRoleBinding \"basic-users\" of ClusterRole \"basic-user\" to Group \"system:authenticated\"" }}
~~~