Normal 1. Proposed title of this feature request
Include context information in unauthorized access
2. What is the nature and description of the request?
When an unauthorized access attempt is done (for example, an expired token used by some tool), the audit logs do not provide any information about who tried to access the cluster.
If the info is taken from the kubeconfig:
$ oc get nodes --loglevel 10 --server https://api.test416.lab.xxx.xx.redhat.com:6443 I0916 14:50:15.455576 93735 loader.go:395] Config loaded from file: /home/xxxx/.kube/config I0916 14:50:15.455782 93735 round_trippers.go:466] curl -v -XGET -H "Accept: application/json;g=apidiscovery.k8s.io;v=v2beta1;as=APIGroupDiscoveryList,application/json" -H "User-Agent: oc/4.16.0 (linux/amd64) kubernetes/ee354f6" 'https://api.test416.lab.xxx.xx.redhat.com:6443/api?timeout=32s'
The info should be added to the audit log, but it is not being done:
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"c2845fb6-dc15-49e7-928d-673c287c67a4","stage":"ResponseStarted","requestURI":"/apis/apps/v1/namespaces/default/daemonsets?limit=500","verb":"list","user":{},"sourceIPs":["10.74.210.146"],"userAgent":"oc/4.16.0 (linux/amd64) kubernetes/ee354f6","objectRef":{"resource":"daemonsets","namespace":"default","apiGroup":"apps","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401},"requestReceivedTimestamp":"2025-08-21T10:59:35.847610Z","stageTimestamp":"2025-08-21T10:59:35.857907Z"}
3. Why does the customer need this? (List the business requirements here)
In case or any attack or unauthorized access try, it is hard to follow up who is the responsible.
4. List any affected packages or components.
apiserver, audit logs