在 kubernetes 集群中,我试图了解kubectl exec被用户使用。用户正在执行哪个命名空间中的哪个 pod?发现这一点的最佳方法是什么?
我觉得审计日志是一个很好的起点,但我不确定我是否能在那里找到我想要的东西。
答案1
是的,该请求就像审计日志中的任何其他请求一样被跟踪,它甚至似乎跟踪发出的命令(尽管如果命令只是或pod/exec,那将没有那么有用)shbash
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Request",
"auditID": "0f5bcb21-ef16-443e-bca2-1d26209207b9",
"stage": "ResponseStarted",
"requestURI": "/api/v1/namespaces/kube-system/pods/sample-647b485b68-4tc9h/exec?command=ps&command=auwx&container=sample&stderr=true&stdout=true",
"verb": "create",
"user": {
"username": "kubernetes-admin",
"groups": [
"system:masters",
"system:authenticated"
]
},
"sourceIPs": [
"10.128.4.90"
],
"userAgent": "kubectl/v1.19.2 (linux/amd64) kubernetes/f574309",
"objectRef": {
"resource": "pods",
"namespace": "kube-system",
"name": "sample-647b485b68-4tc9h",
"apiVersion": "v1",
"subresource": "exec"
},
"responseStatus": {
"metadata": {},
"code": 101
},
"requestReceivedTimestamp": "2020-10-06T16:06:48.205785Z",
"stageTimestamp": "2020-10-06T16:06:48.258680Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
}
}