Skip to content

Kubernetes Audit Logs

Overview

Kubernetes is an open-source container orchestration system for automating software deployment, scaling and managment.

In this documentation, you will learn how to configure, collect and send Kubernetes Audit logs to SEKOIA.IO.

  • Supported environment: On Premise / SaaS

Configuration of Kubernetes

Enable the audit logs in kubernetes:

  • Audit logs are disabled by default. To enable them, you need to specify an audit file path in your API server configuration :
 kube-apiserver
  [...]
  --audit-log-path=/var/log/kubernetes/apiserver/audit.log
  --audit-policy-file=/etc/kubernetes/audit-policies/policy.yaml
  • Create the policy file at /etc/kubernetes/audit-policies/policy.yaml to specify the types of API requests you want to log in your audit logs file. The kubernetes audit policy has different levels:

    • None - don't log events that match this rule.
    • Metadata - log events with metadata (requesting user, timestamp, resource, verb, etc.) but not request or response body.
    • Request - log events with request metadata and body but not response body. This does not apply for non-resource requests.
    • RequestResponse - log events with request metadata, request body and response body. This does not apply for non-resource requests.
  • You can use this minimal audit policy file to log all requests at the Metadata level:

# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

For more information about Kubernetes audit logs, please visit kubernetes website.

Collect Configuration

  • Enable the log collection in your DaemonSet, there are disabled by default:
env:
    # (...)
    - name: DD_LOGS_ENABLED
      value: 'true'
  • Mount the audit log directory in a path where the Sekoia Agent collect the log file. For that you need to update your daemonset:
 # (...)
    volumeMounts:
      # (...)
      - name: auditdir
        mountPath: /var/log/kubernetes/apiserver
  # (...)
  volumes:
    # (...)
    - hostPath:
        path: /var/log/kubernetes/apiserver
      name: auditdir
  # (...)

Create the intake

  1. Go to the intake page and create a new intake from the format Kubernetes.

  2. Update the Agent configuration:

logfiles:
    - filepath: /var/log/kubernetes/apiserver/audit.log  # Path to the file to watch
      intakekey: {intake key}  # Intake key to use to send the events
  1. Once the configuration file is modified, restart the agent:Once the configuration file is modified, restart the agent.

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

{
    "kind": "Event",
    "user": {
        "extra": {
            "authentication.kubernetes.io/credential-id": [
                "X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
            ]
        },
        "groups": [
            "system:masters",
            "system:authenticated"
        ],
        "username": "minikube-user"
    },
    "verb": "create",
    "level": "RequestResponse",
    "stage": "ResponseComplete",
    "auditID": "cc1dcb56-f0e4-4720-bad1-433ce652add7",
    "objectRef": {
        "name": "example-admin-binding",
        "apiGroup": "rbac.authorization.k8s.io",
        "resource": "clusterrolebindings",
        "apiVersion": "v1"
    },
    "sourceIPs": [
        "1.2.3.4"
    ],
    "userAgent": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
    "apiVersion": "audit.k8s.io/v1",
    "requestURI": "/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?fieldManager=kubectl-create&fieldValidation=Strict",
    "annotations": {
        "authorization.k8s.io/reason": "",
        "authorization.k8s.io/decision": "allow"
    },
    "requestObject": {
        "kind": "ClusterRoleBinding",
        "roleRef": {
            "kind": "ClusterRole",
            "name": "cluster-admin",
            "apiGroup": "rbac.authorization.k8s.io"
        },
        "metadata": {
            "name": "example-admin-binding",
            "creationTimestamp": null
        },
        "subjects": [
            {
                "kind": "ServiceAccount",
                "name": "example",
                "namespace": "default"
            }
        ],
        "apiVersion": "rbac.authorization.k8s.io/v1"
    },
    "responseObject": {
        "kind": "ClusterRoleBinding",
        "roleRef": {
            "kind": "ClusterRole",
            "name": "cluster-admin",
            "apiGroup": "rbac.authorization.k8s.io"
        },
        "metadata": {
            "uid": "63d6ae6a-e969-495c-b7ab-b730b203501c",
            "name": "example-admin-binding",
            "managedFields": [
                {
                    "time": "2025-05-22T12:23:08Z",
                    "manager": "kubectl-create",
                    "fieldsV1": {
                        "f:roleRef": {},
                        "f:subjects": {}
                    },
                    "operation": "Update",
                    "apiVersion": "rbac.authorization.k8s.io/v1",
                    "fieldsType": "FieldsV1"
                }
            ],
            "resourceVersion": "10616",
            "creationTimestamp": "2025-05-22T12:23:08Z"
        },
        "subjects": [
            {
                "kind": "ServiceAccount",
                "name": "example",
                "namespace": "default"
            }
        ],
        "apiVersion": "rbac.authorization.k8s.io/v1"
    },
    "responseStatus": {
        "code": 201,
        "metadata": {}
    },
    "stageTimestamp": "2025-05-22T12:23:08.704223Z",
    "requestReceivedTimestamp": "2025-05-22T12:23:08.702110Z"
}
{
    "kind": "Event",
    "user": {
        "extra": {
            "authentication.kubernetes.io/credential-id": [
                "X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
            ]
        },
        "groups": [
            "system:masters",
            "system:authenticated"
        ],
        "username": "minikube-user"
    },
    "verb": "create",
    "level": "RequestResponse",
    "stage": "ResponseComplete",
    "auditID": "2028e1f9-4561-4668-9df4-bc0dcd3ae11b",
    "objectRef": {
        "name": "example-admin-binding",
        "apiGroup": "rbac.authorization.k8s.io",
        "resource": "clusterrolebindings",
        "apiVersion": "v1"
    },
    "sourceIPs": [
        "1.2.3.4"
    ],
    "userAgent": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
    "apiVersion": "audit.k8s.io/v1",
    "requestURI": "/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?fieldManager=kubectl-create&fieldValidation=Strict",
    "annotations": {
        "authorization.k8s.io/reason": "",
        "authorization.k8s.io/decision": "allow"
    },
    "requestObject": {
        "kind": "ClusterRoleBinding",
        "roleRef": {
            "kind": "ClusterRole",
            "name": "cluster-admin",
            "apiGroup": "rbac.authorization.k8s.io"
        },
        "metadata": {
            "name": "example-admin-binding",
            "creationTimestamp": null
        },
        "subjects": [
            {
                "kind": "ServiceAccount",
                "name": "example",
                "namespace": "default"
            }
        ],
        "apiVersion": "rbac.authorization.k8s.io/v1"
    },
    "responseObject": {
        "kind": "ClusterRoleBinding",
        "roleRef": {
            "kind": "ClusterRole",
            "name": "cluster-admin",
            "apiGroup": "rbac.authorization.k8s.io"
        },
        "metadata": {
            "uid": "804440c7-256c-4187-84f3-1e644906db18",
            "name": "example-admin-binding",
            "managedFields": [
                {
                    "time": "2025-05-22T12:23:08Z",
                    "manager": "kubectl-create",
                    "fieldsV1": {
                        "f:roleRef": {},
                        "f:subjects": {}
                    },
                    "operation": "Update",
                    "apiVersion": "rbac.authorization.k8s.io/v1",
                    "fieldsType": "FieldsV1"
                }
            ],
            "resourceVersion": "10616",
            "creationTimestamp": "2025-05-22T12:23:08Z"
        },
        "subjects": [
            {
                "kind": "ServiceAccount",
                "name": "example",
                "namespace": "default"
            }
        ],
        "apiVersion": "rbac.authorization.k8s.io/v1"
    },
    "responseStatus": {
        "code": 201,
        "metadata": {}
    },
    "stageTimestamp": "2025-05-22T12:23:08.704223Z",
    "requestReceivedTimestamp": "2025-05-22T12:23:08.702110Z"
}
{
    "kind": "Event",
    "user": {
        "extra": {
            "authentication.kubernetes.io/credential-id": [
                "X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
            ]
        },
        "groups": [
            "system:masters",
            "system:authenticated"
        ],
        "username": "minikube-user"
    },
    "verb": "create",
    "level": "RequestResponse",
    "stage": "ResponseComplete",
    "auditID": "8cb523a6-0be6-4198-8886-ed4fa57bd375",
    "objectRef": {
        "name": "priv-shell",
        "resource": "pods",
        "namespace": "default",
        "apiVersion": "v1"
    },
    "sourceIPs": [
        "1.2.3.4"
    ],
    "userAgent": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
    "apiVersion": "audit.k8s.io/v1",
    "requestURI": "/api/v1/namespaces/default/pods?fieldManager=kubectl-run",
    "annotations": {
        "authorization.k8s.io/reason": "",
        "authorization.k8s.io/decision": "allow",
        "pod-security.kubernetes.io/enforce-policy": "privileged:latest"
    },
    "requestObject": {
        "kind": "Pod",
        "spec": {
            "dnsPolicy": "ClusterFirst",
            "containers": [
                {
                    "name": "shell",
                    "image": "ubuntu:24.04",
                    "command": [
                        "bash",
                        "-c",
                        "sleep infinity"
                    ],
                    "resources": {},
                    "imagePullPolicy": "IfNotPresent",
                    "securityContext": {
                        "privileged": true
                    },
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "File"
                }
            ],
            "restartPolicy": "Never",
            "schedulerName": "default-scheduler",
            "securityContext": {},
            "enableServiceLinks": true,
            "terminationGracePeriodSeconds": 30
        },
        "status": {},
        "metadata": {
            "name": "priv-shell",
            "labels": {
                "run": "priv-shell"
            },
            "creationTimestamp": null
        },
        "apiVersion": "v1"
    },
    "responseObject": {
        "kind": "Pod",
        "spec": {
            "volumes": [
                {
                    "name": "kube-api-access-cmszt",
                    "projected": {
                        "sources": [
                            {
                                "serviceAccountToken": {
                                    "path": "token",
                                    "expirationSeconds": 3607
                                }
                            },
                            {
                                "configMap": {
                                    "name": "kube-root-ca.crt",
                                    "items": [
                                        {
                                            "key": "ca.crt",
                                            "path": "ca.crt"
                                        }
                                    ]
                                }
                            },
                            {
                                "downwardAPI": {
                                    "items": [
                                        {
                                            "path": "namespace",
                                            "fieldRef": {
                                                "fieldPath": "metadata.namespace",
                                                "apiVersion": "v1"
                                            }
                                        }
                                    ]
                                }
                            }
                        ],
                        "defaultMode": 420
                    }
                }
            ],
            "priority": 0,
            "dnsPolicy": "ClusterFirst",
            "containers": [
                {
                    "name": "shell",
                    "image": "ubuntu:24.04",
                    "command": [
                        "bash",
                        "-c",
                        "sleep infinity"
                    ],
                    "resources": {},
                    "volumeMounts": [
                        {
                            "name": "kube-api-access-cmszt",
                            "readOnly": true,
                            "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
                        }
                    ],
                    "imagePullPolicy": "IfNotPresent",
                    "securityContext": {
                        "privileged": true
                    },
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "File"
                }
            ],
            "tolerations": [
                {
                    "key": "node.kubernetes.io/not-ready",
                    "effect": "NoExecute",
                    "operator": "Exists",
                    "tolerationSeconds": 300
                },
                {
                    "key": "node.kubernetes.io/unreachable",
                    "effect": "NoExecute",
                    "operator": "Exists",
                    "tolerationSeconds": 300
                }
            ],
            "restartPolicy": "Never",
            "schedulerName": "default-scheduler",
            "serviceAccount": "default",
            "securityContext": {},
            "preemptionPolicy": "PreemptLowerPriority",
            "enableServiceLinks": true,
            "serviceAccountName": "default",
            "terminationGracePeriodSeconds": 30
        },
        "status": {
            "phase": "Pending",
            "qosClass": "BestEffort"
        },
        "metadata": {
            "uid": "b213474e-679f-43e4-8e26-6bfde524ba34",
            "name": "priv-shell",
            "labels": {
                "run": "priv-shell"
            },
            "namespace": "default",
            "managedFields": [
                {
                    "time": "2025-05-22T13:14:38Z",
                    "manager": "kubectl-run",
                    "fieldsV1": {
                        "f:spec": {
                            "f:dnsPolicy": {},
                            "f:containers": {
                                "k:{\"name\":\"shell\"}": {
                                    ".": {},
                                    "f:name": {},
                                    "f:image": {},
                                    "f:command": {},
                                    "f:resources": {},
                                    "f:imagePullPolicy": {},
                                    "f:securityContext": {
                                        ".": {},
                                        "f:privileged": {}
                                    },
                                    "f:terminationMessagePath": {},
                                    "f:terminationMessagePolicy": {}
                                }
                            },
                            "f:restartPolicy": {},
                            "f:schedulerName": {},
                            "f:securityContext": {},
                            "f:enableServiceLinks": {},
                            "f:terminationGracePeriodSeconds": {}
                        },
                        "f:metadata": {
                            "f:labels": {
                                ".": {},
                                "f:run": {}
                            }
                        }
                    },
                    "operation": "Update",
                    "apiVersion": "v1",
                    "fieldsType": "FieldsV1"
                }
            ],
            "resourceVersion": "12992",
            "creationTimestamp": "2025-05-22T13:14:38Z"
        },
        "apiVersion": "v1"
    },
    "responseStatus": {
        "code": 201,
        "metadata": {}
    },
    "stageTimestamp": "2025-05-22T13:14:38.223786Z",
    "requestReceivedTimestamp": "2025-05-22T13:14:38.218223Z"
}
{
    "kind": "Event",
    "user": {
        "extra": {
            "authentication.kubernetes.io/credential-id": [
                "X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
            ]
        },
        "groups": [
            "system:masters",
            "system:authenticated"
        ],
        "username": "minikube-user"
    },
    "verb": "create",
    "level": "RequestResponse",
    "stage": "ResponseComplete",
    "auditID": "762eda6e-4122-4997-9a87-ada5442d43d5",
    "objectRef": {
        "name": "pod-hostnetwork",
        "resource": "pods",
        "namespace": "default",
        "apiVersion": "v1"
    },
    "sourceIPs": [
        "1.2.3.4"
    ],
    "userAgent": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
    "apiVersion": "audit.k8s.io/v1",
    "requestURI": "/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict",
    "annotations": {
        "authorization.k8s.io/reason": "",
        "authorization.k8s.io/decision": "allow",
        "pod-security.kubernetes.io/enforce-policy": "privileged:latest"
    },
    "requestObject": {
        "kind": "Pod",
        "spec": {
            "dnsPolicy": "ClusterFirst",
            "containers": [
                {
                    "name": "nginx",
                    "image": "nginx",
                    "ports": [
                        {
                            "hostPort": 80,
                            "protocol": "TCP",
                            "containerPort": 80
                        }
                    ],
                    "resources": {},
                    "imagePullPolicy": "Always",
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "File"
                }
            ],
            "hostNetwork": true,
            "restartPolicy": "Always",
            "schedulerName": "default-scheduler",
            "securityContext": {},
            "enableServiceLinks": true,
            "terminationGracePeriodSeconds": 30
        },
        "status": {},
        "metadata": {
            "name": "pod-hostnetwork",
            "namespace": "default",
            "annotations": {
                "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"pod-hostnetwork\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"nginx\",\"name\":\"nginx\",\"ports\":[{\"containerPort\":80}]}],\"hostNetwork\":true}}\n"
            },
            "creationTimestamp": null
        },
        "apiVersion": "v1"
    },
    "responseObject": {
        "kind": "Pod",
        "spec": {
            "volumes": [
                {
                    "name": "kube-api-access-gt55x",
                    "projected": {
                        "sources": [
                            {
                                "serviceAccountToken": {
                                    "path": "token",
                                    "expirationSeconds": 3607
                                }
                            },
                            {
                                "configMap": {
                                    "name": "kube-root-ca.crt",
                                    "items": [
                                        {
                                            "key": "ca.crt",
                                            "path": "ca.crt"
                                        }
                                    ]
                                }
                            },
                            {
                                "downwardAPI": {
                                    "items": [
                                        {
                                            "path": "namespace",
                                            "fieldRef": {
                                                "fieldPath": "metadata.namespace",
                                                "apiVersion": "v1"
                                            }
                                        }
                                    ]
                                }
                            }
                        ],
                        "defaultMode": 420
                    }
                }
            ],
            "priority": 0,
            "dnsPolicy": "ClusterFirst",
            "containers": [
                {
                    "name": "nginx",
                    "image": "nginx",
                    "ports": [
                        {
                            "hostPort": 80,
                            "protocol": "TCP",
                            "containerPort": 80
                        }
                    ],
                    "resources": {},
                    "volumeMounts": [
                        {
                            "name": "kube-api-access-gt55x",
                            "readOnly": true,
                            "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
                        }
                    ],
                    "imagePullPolicy": "Always",
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "File"
                }
            ],
            "hostNetwork": true,
            "tolerations": [
                {
                    "key": "node.kubernetes.io/not-ready",
                    "effect": "NoExecute",
                    "operator": "Exists",
                    "tolerationSeconds": 300
                },
                {
                    "key": "node.kubernetes.io/unreachable",
                    "effect": "NoExecute",
                    "operator": "Exists",
                    "tolerationSeconds": 300
                }
            ],
            "restartPolicy": "Always",
            "schedulerName": "default-scheduler",
            "serviceAccount": "default",
            "securityContext": {},
            "preemptionPolicy": "PreemptLowerPriority",
            "enableServiceLinks": true,
            "serviceAccountName": "default",
            "terminationGracePeriodSeconds": 30
        },
        "status": {
            "phase": "Pending",
            "qosClass": "BestEffort"
        },
        "metadata": {
            "uid": "e8303c60-6322-4241-a0ce-7ad41ffb167b",
            "name": "pod-hostnetwork",
            "namespace": "default",
            "annotations": {
                "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"pod-hostnetwork\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"nginx\",\"name\":\"nginx\",\"ports\":[{\"containerPort\":80}]}],\"hostNetwork\":true}}\n"
            },
            "managedFields": [
                {
                    "time": "2025-05-22T13:06:12Z",
                    "manager": "kubectl-client-side-apply",
                    "fieldsV1": {
                        "f:spec": {
                            "f:dnsPolicy": {},
                            "f:containers": {
                                "k:{\"name\":\"nginx\"}": {
                                    ".": {},
                                    "f:name": {},
                                    "f:image": {},
                                    "f:ports": {
                                        ".": {},
                                        "k:{\"containerPort\":80,\"protocol\":\"TCP\"}": {
                                            ".": {},
                                            "f:hostPort": {},
                                            "f:protocol": {},
                                            "f:containerPort": {}
                                        }
                                    },
                                    "f:resources": {},
                                    "f:imagePullPolicy": {},
                                    "f:terminationMessagePath": {},
                                    "f:terminationMessagePolicy": {}
                                }
                            },
                            "f:hostNetwork": {},
                            "f:restartPolicy": {},
                            "f:schedulerName": {},
                            "f:securityContext": {},
                            "f:enableServiceLinks": {},
                            "f:terminationGracePeriodSeconds": {}
                        },
                        "f:metadata": {
                            "f:annotations": {
                                ".": {},
                                "f:kubectl.kubernetes.io/last-applied-configuration": {}
                            }
                        }
                    },
                    "operation": "Update",
                    "apiVersion": "v1",
                    "fieldsType": "FieldsV1"
                }
            ],
            "resourceVersion": "12581",
            "creationTimestamp": "2025-05-22T13:06:12Z"
        },
        "apiVersion": "v1"
    },
    "responseStatus": {
        "code": 201,
        "metadata": {}
    },
    "stageTimestamp": "2025-05-22T13:06:12.975266Z",
    "requestReceivedTimestamp": "2025-05-22T13:06:12.952499Z"
}
{
    "kind": "Event",
    "user": {
        "extra": {
            "authentication.kubernetes.io/credential-id": [
                "X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
            ]
        },
        "groups": [
            "system:masters",
            "system:authenticated"
        ],
        "username": "minikube-user"
    },
    "verb": "create",
    "level": "RequestResponse",
    "stage": "ResponseComplete",
    "auditID": "29480e0b-5b7a-43b0-8618-d5122aff5817",
    "objectRef": {
        "name": "pod-hostpath",
        "resource": "pods",
        "namespace": "default",
        "apiVersion": "v1"
    },
    "sourceIPs": [
        "1.2.3.4"
    ],
    "userAgent": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
    "apiVersion": "audit.k8s.io/v1",
    "requestURI": "/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict",
    "annotations": {
        "authorization.k8s.io/reason": "",
        "authorization.k8s.io/decision": "allow",
        "pod-security.kubernetes.io/enforce-policy": "privileged:latest"
    },
    "requestObject": {
        "kind": "Pod",
        "spec": {
            "volumes": [
                {
                    "name": "host-volume",
                    "hostPath": {
                        "path": "/tmp/testdir",
                        "type": "DirectoryOrCreate"
                    }
                }
            ],
            "dnsPolicy": "ClusterFirst",
            "containers": [
                {
                    "name": "test-container",
                    "image": "ubuntu:24.04",
                    "command": [
                        "bash",
                        "-c",
                        "sleep infinity"
                    ],
                    "resources": {},
                    "volumeMounts": [
                        {
                            "name": "host-volume",
                            "mountPath": "/mnt/host"
                        }
                    ],
                    "imagePullPolicy": "IfNotPresent",
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "File"
                }
            ],
            "restartPolicy": "Always",
            "schedulerName": "default-scheduler",
            "securityContext": {},
            "enableServiceLinks": true,
            "terminationGracePeriodSeconds": 30
        },
        "status": {},
        "metadata": {
            "name": "pod-hostpath",
            "namespace": "default",
            "annotations": {
                "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"pod-hostpath\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"command\":[\"bash\",\"-c\",\"sleep infinity\"],\"image\":\"ubuntu:24.04\",\"name\":\"test-container\",\"volumeMounts\":[{\"mountPath\":\"/mnt/host\",\"name\":\"host-volume\"}]}],\"volumes\":[{\"hostPath\":{\"path\":\"/tmp/testdir\",\"type\":\"DirectoryOrCreate\"},\"name\":\"host-volume\"}]}}\n"
            },
            "creationTimestamp": null
        },
        "apiVersion": "v1"
    },
    "responseObject": {
        "kind": "Pod",
        "spec": {
            "volumes": [
                {
                    "name": "host-volume",
                    "hostPath": {
                        "path": "/tmp/testdir",
                        "type": "DirectoryOrCreate"
                    }
                },
                {
                    "name": "kube-api-access-5xkx2",
                    "projected": {
                        "sources": [
                            {
                                "serviceAccountToken": {
                                    "path": "token",
                                    "expirationSeconds": 3607
                                }
                            },
                            {
                                "configMap": {
                                    "name": "kube-root-ca.crt",
                                    "items": [
                                        {
                                            "key": "ca.crt",
                                            "path": "ca.crt"
                                        }
                                    ]
                                }
                            },
                            {
                                "downwardAPI": {
                                    "items": [
                                        {
                                            "path": "namespace",
                                            "fieldRef": {
                                                "fieldPath": "metadata.namespace",
                                                "apiVersion": "v1"
                                            }
                                        }
                                    ]
                                }
                            }
                        ],
                        "defaultMode": 420
                    }
                }
            ],
            "priority": 0,
            "dnsPolicy": "ClusterFirst",
            "containers": [
                {
                    "name": "test-container",
                    "image": "ubuntu:24.04",
                    "command": [
                        "bash",
                        "-c",
                        "sleep infinity"
                    ],
                    "resources": {},
                    "volumeMounts": [
                        {
                            "name": "host-volume",
                            "mountPath": "/mnt/host"
                        },
                        {
                            "name": "kube-api-access-5xkx2",
                            "readOnly": true,
                            "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
                        }
                    ],
                    "imagePullPolicy": "IfNotPresent",
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "File"
                }
            ],
            "tolerations": [
                {
                    "key": "node.kubernetes.io/not-ready",
                    "effect": "NoExecute",
                    "operator": "Exists",
                    "tolerationSeconds": 300
                },
                {
                    "key": "node.kubernetes.io/unreachable",
                    "effect": "NoExecute",
                    "operator": "Exists",
                    "tolerationSeconds": 300
                }
            ],
            "restartPolicy": "Always",
            "schedulerName": "default-scheduler",
            "serviceAccount": "default",
            "securityContext": {},
            "preemptionPolicy": "PreemptLowerPriority",
            "enableServiceLinks": true,
            "serviceAccountName": "default",
            "terminationGracePeriodSeconds": 30
        },
        "status": {
            "phase": "Pending",
            "qosClass": "BestEffort"
        },
        "metadata": {
            "uid": "31182568-10d0-4f5d-815c-40145be2c09a",
            "name": "pod-hostpath",
            "namespace": "default",
            "annotations": {
                "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"pod-hostpath\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"command\":[\"bash\",\"-c\",\"sleep infinity\"],\"image\":\"ubuntu:24.04\",\"name\":\"test-container\",\"volumeMounts\":[{\"mountPath\":\"/mnt/host\",\"name\":\"host-volume\"}]}],\"volumes\":[{\"hostPath\":{\"path\":\"/tmp/testdir\",\"type\":\"DirectoryOrCreate\"},\"name\":\"host-volume\"}]}}\n"
            },
            "managedFields": [
                {
                    "time": "2025-05-22T13:23:44Z",
                    "manager": "kubectl-client-side-apply",
                    "fieldsV1": {
                        "f:spec": {
                            "f:volumes": {
                                ".": {},
                                "k:{\"name\":\"host-volume\"}": {
                                    ".": {},
                                    "f:name": {},
                                    "f:hostPath": {
                                        ".": {},
                                        "f:path": {},
                                        "f:type": {}
                                    }
                                }
                            },
                            "f:dnsPolicy": {},
                            "f:containers": {
                                "k:{\"name\":\"test-container\"}": {
                                    ".": {},
                                    "f:name": {},
                                    "f:image": {},
                                    "f:command": {},
                                    "f:resources": {},
                                    "f:volumeMounts": {
                                        ".": {},
                                        "k:{\"mountPath\":\"/mnt/host\"}": {
                                            ".": {},
                                            "f:name": {},
                                            "f:mountPath": {}
                                        }
                                    },
                                    "f:imagePullPolicy": {},
                                    "f:terminationMessagePath": {},
                                    "f:terminationMessagePolicy": {}
                                }
                            },
                            "f:restartPolicy": {},
                            "f:schedulerName": {},
                            "f:securityContext": {},
                            "f:enableServiceLinks": {},
                            "f:terminationGracePeriodSeconds": {}
                        },
                        "f:metadata": {
                            "f:annotations": {
                                ".": {},
                                "f:kubectl.kubernetes.io/last-applied-configuration": {}
                            }
                        }
                    },
                    "operation": "Update",
                    "apiVersion": "v1",
                    "fieldsType": "FieldsV1"
                }
            ],
            "resourceVersion": "13438",
            "creationTimestamp": "2025-05-22T13:23:44Z"
        },
        "apiVersion": "v1"
    },
    "responseStatus": {
        "code": 201,
        "metadata": {}
    },
    "stageTimestamp": "2025-05-22T13:23:44.890020Z",
    "requestReceivedTimestamp": "2025-05-22T13:23:44.884869Z"
}
{
    "level": "RequestResponse",
    "auditID": "91afc40c-f1ef-4956-b85a-7e12d09511e9",
    "stage": "ResponseComplete",
    "requestURI": "/api/v1/namespaces/test/pods/test-1669140000-zp58r/exec?command=sh&container=test&stdin=true&stdout=true&tty=true",
    "verb": "create",
    "user": {
        "username": "user@mail.com",
        "groups": [
            "system:authenticated"
        ]
    },
    "sourceIPs": [
        "192.168.0.1"
    ],
    "userAgent": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f",
    "objectRef": {
        "resource": "pods",
        "namespace": "test",
        "name": "test-1669140000-zp58r",
        "apiVersion": "v1",
        "subresource": "exec"
    },
    "responseStatus": {
        "metadata": {},
        "code": 101
    },
    "requestReceivedTimestamp": "2022-11-23T14:36:45.243457Z",
    "stageTimestamp": "2022-11-23T14:36:53.531481Z",
    "annotations": {
        "authorization.k8s.io/decision": "allow",
        "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding test-role-binding of ClusterRole test-admin to Group system:authenticated"
    }
}
{
    "kind": "Event",
    "apiVersion": "audit.k8s.io/v1",
    "level": "Request",
    "auditID": "bdeb089c-5d70-4776-b6af-88e739fb0dd5",
    "stage": "ResponseComplete",
    "requestURI": "/api/v1/namespaces/support/pods?limit=500",
    "verb": "list",
    "user": {
        "username": "system:serviceaccount:pinniped-concierge:pinniped-concierge-impersonation-proxy",
        "uid": "6258bd11-9713-442b-bbed-2587a76975d9",
        "groups": [
            "system:serviceaccounts",
            "system:serviceaccounts:pinniped-concierge",
            "system:authenticated"
        ],
        "extra": {
            "authentication.kubernetes.io/credential-id": [
                "JTI=581d10f3-b521-480f-aa42-bcd6a70df8ea"
            ]
        }
    },
    "impersonatedUser": {
        "username": "john.doe@example.org",
        "groups": [
            "admin",
            "system:authenticated"
        ]
    },
    "sourceIPs": [
        "1.1.1.1",
        "2.2.2.2"
    ],
    "userAgent": "kubectl/v1.29.2 (linux/amd64) kubernetes/4b8e819",
    "objectRef": {
        "resource": "pods",
        "namespace": "support",
        "apiVersion": "v1"
    },
    "responseStatus": {
        "metadata": {},
        "code": 200
    },
    "requestReceivedTimestamp": "2025-01-23T14:56:02.374424Z",
    "stageTimestamp": "2025-01-23T14:56:02.400865Z",
    "annotations": {
        "authorization.k8s.io/decision": "allow",
        "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"pinniped-admin-role-binding\" of ClusterRole \"cluster-admin\" to Group \"admin\""
    }
}
{
    "level": "RequestResponse",
    "auditID": "bbd6d83f-4b6d-4a3d-b3cd-840a0691c19f",
    "stage": "ResponseComplete",
    "requestURI": "/apis/apps/v1/namespaces/test/deployments/test/scale",
    "verb": "patch",
    "user": {
        "username": "user@mail.com",
        "groups": [
            "system:authenticated"
        ]
    },
    "sourceIPs": [
        "192.168.0.1"
    ],
    "userAgent": "kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19",
    "objectRef": {
        "resource": "deployments",
        "namespace": "test",
        "apiGroup": "apps",
        "apiVersion": "v1",
        "subresource": "scale"
    },
    "responseStatus": {
        "metadata": {},
        "code": 200
    },
    "requestObject": {
        "spec": {
            "replicas": 3
        }
    },
    "responseObject": {
        "kind": "Scale",
        "apiVersion": "autoscaling/v1",
        "metadata": {
            "name": "test",
            "namespace": "test",
            "selfLink": "/apis/apps/v1/namespaces/test/deployments/test/scale",
            "uid": "7e649fbd-ca1b-4e30-b763-1b52527c774b",
            "resourceVersion": "1368503426",
            "creationTimestamp": "2020-01-24T17:04:30Z"
        },
        "spec": {
            "replicas": 3
        },
        "status": {
            "replicas": 2,
            "selector": "test=test"
        }
    },
    "requestReceivedTimestamp": "2022-11-23T13:10:04.499444Z",
    "stageTimestamp": "2022-11-23T13:10:04.514995Z",
    "annotations": {
        "authorization.k8s.io/decision": "allow",
        "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"test-role-binding\" of ClusterRole \"test-admin\" to Group \"system:authenticated\""
    }
}

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Application logs Audit logs of Kubernetes clusters

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

{
    "message": "{\"kind\": \"Event\", \"user\": {\"extra\": {\"authentication.kubernetes.io/credential-id\": [\"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\"]}, \"groups\": [\"system:masters\", \"system:authenticated\"], \"username\": \"minikube-user\"}, \"verb\": \"create\", \"level\": \"RequestResponse\", \"stage\": \"ResponseComplete\", \"auditID\": \"cc1dcb56-f0e4-4720-bad1-433ce652add7\", \"objectRef\": {\"name\": \"example-admin-binding\", \"apiGroup\": \"rbac.authorization.k8s.io\", \"resource\": \"clusterrolebindings\", \"apiVersion\": \"v1\"}, \"sourceIPs\": [\"1.2.3.4\"], \"userAgent\": \"kubectl/v1.32.5 (linux/amd64) kubernetes/9894294\", \"apiVersion\": \"audit.k8s.io/v1\", \"requestURI\": \"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?fieldManager=kubectl-create&fieldValidation=Strict\", \"annotations\": {\"authorization.k8s.io/reason\": \"\", \"authorization.k8s.io/decision\": \"allow\"}, \"requestObject\": {\"kind\": \"ClusterRoleBinding\", \"roleRef\": {\"kind\": \"ClusterRole\", \"name\": \"cluster-admin\", \"apiGroup\": \"rbac.authorization.k8s.io\"}, \"metadata\": {\"name\": \"example-admin-binding\", \"creationTimestamp\": null}, \"subjects\": [{\"kind\": \"ServiceAccount\", \"name\": \"example\", \"namespace\": \"default\"}], \"apiVersion\": \"rbac.authorization.k8s.io/v1\"}, \"responseObject\": {\"kind\": \"ClusterRoleBinding\", \"roleRef\": {\"kind\": \"ClusterRole\", \"name\": \"cluster-admin\", \"apiGroup\": \"rbac.authorization.k8s.io\"}, \"metadata\": {\"uid\": \"63d6ae6a-e969-495c-b7ab-b730b203501c\", \"name\": \"example-admin-binding\", \"managedFields\": [{\"time\": \"2025-05-22T12:23:08Z\", \"manager\": \"kubectl-create\", \"fieldsV1\": {\"f:roleRef\": {}, \"f:subjects\": {}}, \"operation\": \"Update\", \"apiVersion\": \"rbac.authorization.k8s.io/v1\", \"fieldsType\": \"FieldsV1\"}], \"resourceVersion\": \"10616\", \"creationTimestamp\": \"2025-05-22T12:23:08Z\"}, \"subjects\": [{\"kind\": \"ServiceAccount\", \"name\": \"example\", \"namespace\": \"default\"}], \"apiVersion\": \"rbac.authorization.k8s.io/v1\"}, \"responseStatus\": {\"code\": 201, \"metadata\": {}}, \"stageTimestamp\": \"2025-05-22T12:23:08.704223Z\", \"requestReceivedTimestamp\": \"2025-05-22T12:23:08.702110Z\"}",
    "event": {
        "action": "create",
        "code": "cc1dcb56-f0e4-4720-bad1-433ce652add7",
        "outcome": "allow",
        "start": "2025-05-22T12:23:08.702110Z"
    },
    "action": {
        "outcome": "allow"
    },
    "http": {
        "response": {
            "status_code": 201
        }
    },
    "kubernetes": {
        "api": {
            "group": "rbac.authorization.k8s.io"
        },
        "object": {
            "name": "example-admin-binding"
        },
        "resource": "clusterrolebindings",
        "role": {
            "name": "cluster-admin"
        }
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "minikube-user"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "url": {
        "path": "/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?fieldManager=kubectl-create&fieldValidation=Strict"
    },
    "user": {
        "name": "minikube-user",
        "roles": [
            "system:authenticated",
            "system:masters"
        ]
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
        "os": {
            "name": "Linux"
        }
    }
}
{
    "message": "{\"kind\": \"Event\", \"user\": {\"extra\": {\"authentication.kubernetes.io/credential-id\": [\"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\"]}, \"groups\": [\"system:masters\", \"system:authenticated\"], \"username\": \"minikube-user\"}, \"verb\": \"create\", \"level\": \"RequestResponse\", \"stage\": \"ResponseComplete\", \"auditID\": \"2028e1f9-4561-4668-9df4-bc0dcd3ae11b\", \"objectRef\": {\"name\": \"example-admin-binding\", \"apiGroup\": \"rbac.authorization.k8s.io\", \"resource\": \"clusterrolebindings\", \"apiVersion\": \"v1\"}, \"sourceIPs\": [\"1.2.3.4\"], \"userAgent\": \"kubectl/v1.32.5 (linux/amd64) kubernetes/9894294\", \"apiVersion\": \"audit.k8s.io/v1\", \"requestURI\": \"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?fieldManager=kubectl-create&fieldValidation=Strict\", \"annotations\": {\"authorization.k8s.io/reason\": \"\", \"authorization.k8s.io/decision\": \"allow\"}, \"requestObject\": {\"kind\": \"ClusterRoleBinding\", \"roleRef\": {\"kind\": \"ClusterRole\", \"name\": \"cluster-admin\", \"apiGroup\": \"rbac.authorization.k8s.io\"}, \"metadata\": {\"name\": \"example-admin-binding\", \"creationTimestamp\": null}, \"subjects\": [{\"kind\": \"ServiceAccount\", \"name\": \"example\", \"namespace\": \"default\"}], \"apiVersion\": \"rbac.authorization.k8s.io/v1\"}, \"responseObject\": {\"kind\": \"ClusterRoleBinding\", \"roleRef\": {\"kind\": \"ClusterRole\", \"name\": \"cluster-admin\", \"apiGroup\": \"rbac.authorization.k8s.io\"}, \"metadata\": {\"uid\": \"804440c7-256c-4187-84f3-1e644906db18\", \"name\": \"example-admin-binding\", \"managedFields\": [{\"time\": \"2025-05-22T12:23:08Z\", \"manager\": \"kubectl-create\", \"fieldsV1\": {\"f:roleRef\": {}, \"f:subjects\": {}}, \"operation\": \"Update\", \"apiVersion\": \"rbac.authorization.k8s.io/v1\", \"fieldsType\": \"FieldsV1\"}], \"resourceVersion\": \"10616\", \"creationTimestamp\": \"2025-05-22T12:23:08Z\"}, \"subjects\": [{\"kind\": \"ServiceAccount\", \"name\": \"example\", \"namespace\": \"default\"}], \"apiVersion\": \"rbac.authorization.k8s.io/v1\"}, \"responseStatus\": {\"code\": 201, \"metadata\": {}}, \"stageTimestamp\": \"2025-05-22T12:23:08.704223Z\", \"requestReceivedTimestamp\": \"2025-05-22T12:23:08.702110Z\"}",
    "event": {
        "action": "create",
        "code": "2028e1f9-4561-4668-9df4-bc0dcd3ae11b",
        "outcome": "allow",
        "start": "2025-05-22T12:23:08.702110Z"
    },
    "action": {
        "outcome": "allow"
    },
    "http": {
        "response": {
            "status_code": 201
        }
    },
    "kubernetes": {
        "api": {
            "group": "rbac.authorization.k8s.io"
        },
        "object": {
            "name": "example-admin-binding"
        },
        "resource": "clusterrolebindings",
        "role": {
            "name": "cluster-admin"
        }
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "minikube-user"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "url": {
        "path": "/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?fieldManager=kubectl-create&fieldValidation=Strict"
    },
    "user": {
        "name": "minikube-user",
        "roles": [
            "system:authenticated",
            "system:masters"
        ]
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
        "os": {
            "name": "Linux"
        }
    }
}
{
    "message": "{\"kind\": \"Event\", \"user\": {\"extra\": {\"authentication.kubernetes.io/credential-id\": [\"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\"]}, \"groups\": [\"system:masters\", \"system:authenticated\"], \"username\": \"minikube-user\"}, \"verb\": \"create\", \"level\": \"RequestResponse\", \"stage\": \"ResponseComplete\", \"auditID\": \"8cb523a6-0be6-4198-8886-ed4fa57bd375\", \"objectRef\": {\"name\": \"priv-shell\", \"resource\": \"pods\", \"namespace\": \"default\", \"apiVersion\": \"v1\"}, \"sourceIPs\": [\"1.2.3.4\"], \"userAgent\": \"kubectl/v1.32.5 (linux/amd64) kubernetes/9894294\", \"apiVersion\": \"audit.k8s.io/v1\", \"requestURI\": \"/api/v1/namespaces/default/pods?fieldManager=kubectl-run\", \"annotations\": {\"authorization.k8s.io/reason\": \"\", \"authorization.k8s.io/decision\": \"allow\", \"pod-security.kubernetes.io/enforce-policy\": \"privileged:latest\"}, \"requestObject\": {\"kind\": \"Pod\", \"spec\": {\"dnsPolicy\": \"ClusterFirst\", \"containers\": [{\"name\": \"shell\", \"image\": \"ubuntu:24.04\", \"command\": [\"bash\", \"-c\", \"sleep infinity\"], \"resources\": {}, \"imagePullPolicy\": \"IfNotPresent\", \"securityContext\": {\"privileged\": true}, \"terminationMessagePath\": \"/dev/termination-log\", \"terminationMessagePolicy\": \"File\"}], \"restartPolicy\": \"Never\", \"schedulerName\": \"default-scheduler\", \"securityContext\": {}, \"enableServiceLinks\": true, \"terminationGracePeriodSeconds\": 30}, \"status\": {}, \"metadata\": {\"name\": \"priv-shell\", \"labels\": {\"run\": \"priv-shell\"}, \"creationTimestamp\": null}, \"apiVersion\": \"v1\"}, \"responseObject\": {\"kind\": \"Pod\", \"spec\": {\"volumes\": [{\"name\": \"kube-api-access-cmszt\", \"projected\": {\"sources\": [{\"serviceAccountToken\": {\"path\": \"token\", \"expirationSeconds\": 3607}}, {\"configMap\": {\"name\": \"kube-root-ca.crt\", \"items\": [{\"key\": \"ca.crt\", \"path\": \"ca.crt\"}]}}, {\"downwardAPI\": {\"items\": [{\"path\": \"namespace\", \"fieldRef\": {\"fieldPath\": \"metadata.namespace\", \"apiVersion\": \"v1\"}}]}}], \"defaultMode\": 420}}], \"priority\": 0, \"dnsPolicy\": \"ClusterFirst\", \"containers\": [{\"name\": \"shell\", \"image\": \"ubuntu:24.04\", \"command\": [\"bash\", \"-c\", \"sleep infinity\"], \"resources\": {}, \"volumeMounts\": [{\"name\": \"kube-api-access-cmszt\", \"readOnly\": true, \"mountPath\": \"/var/run/secrets/kubernetes.io/serviceaccount\"}], \"imagePullPolicy\": \"IfNotPresent\", \"securityContext\": {\"privileged\": true}, \"terminationMessagePath\": \"/dev/termination-log\", \"terminationMessagePolicy\": \"File\"}], \"tolerations\": [{\"key\": \"node.kubernetes.io/not-ready\", \"effect\": \"NoExecute\", \"operator\": \"Exists\", \"tolerationSeconds\": 300}, {\"key\": \"node.kubernetes.io/unreachable\", \"effect\": \"NoExecute\", \"operator\": \"Exists\", \"tolerationSeconds\": 300}], \"restartPolicy\": \"Never\", \"schedulerName\": \"default-scheduler\", \"serviceAccount\": \"default\", \"securityContext\": {}, \"preemptionPolicy\": \"PreemptLowerPriority\", \"enableServiceLinks\": true, \"serviceAccountName\": \"default\", \"terminationGracePeriodSeconds\": 30}, \"status\": {\"phase\": \"Pending\", \"qosClass\": \"BestEffort\"}, \"metadata\": {\"uid\": \"b213474e-679f-43e4-8e26-6bfde524ba34\", \"name\": \"priv-shell\", \"labels\": {\"run\": \"priv-shell\"}, \"namespace\": \"default\", \"managedFields\": [{\"time\": \"2025-05-22T13:14:38Z\", \"manager\": \"kubectl-run\", \"fieldsV1\": {\"f:spec\": {\"f:dnsPolicy\": {}, \"f:containers\": {\"k:{\\\"name\\\":\\\"shell\\\"}\": {\".\": {}, \"f:name\": {}, \"f:image\": {}, \"f:command\": {}, \"f:resources\": {}, \"f:imagePullPolicy\": {}, \"f:securityContext\": {\".\": {}, \"f:privileged\": {}}, \"f:terminationMessagePath\": {}, \"f:terminationMessagePolicy\": {}}}, \"f:restartPolicy\": {}, \"f:schedulerName\": {}, \"f:securityContext\": {}, \"f:enableServiceLinks\": {}, \"f:terminationGracePeriodSeconds\": {}}, \"f:metadata\": {\"f:labels\": {\".\": {}, \"f:run\": {}}}}, \"operation\": \"Update\", \"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\"}], \"resourceVersion\": \"12992\", \"creationTimestamp\": \"2025-05-22T13:14:38Z\"}, \"apiVersion\": \"v1\"}, \"responseStatus\": {\"code\": 201, \"metadata\": {}}, \"stageTimestamp\": \"2025-05-22T13:14:38.223786Z\", \"requestReceivedTimestamp\": \"2025-05-22T13:14:38.218223Z\"}",
    "event": {
        "action": "create",
        "code": "8cb523a6-0be6-4198-8886-ed4fa57bd375",
        "outcome": "allow",
        "start": "2025-05-22T13:14:38.218223Z"
    },
    "action": {
        "outcome": "allow"
    },
    "http": {
        "response": {
            "status_code": 201
        }
    },
    "kubernetes": {
        "namespace": "default",
        "object": {
            "name": "priv-shell"
        },
        "resource": "pods",
        "spec": {
            "containers": [
                {
                    "command": [
                        "bash",
                        "-c",
                        "sleep infinity"
                    ],
                    "image": "ubuntu:24.04",
                    "imagePullPolicy": "IfNotPresent",
                    "name": "shell",
                    "securityContext": {
                        "privileged": true
                    },
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "File"
                }
            ]
        }
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "minikube-user"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "url": {
        "path": "/api/v1/namespaces/default/pods?fieldManager=kubectl-run"
    },
    "user": {
        "name": "minikube-user",
        "roles": [
            "system:authenticated",
            "system:masters"
        ]
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
        "os": {
            "name": "Linux"
        }
    }
}
{
    "message": "{\"kind\": \"Event\", \"user\": {\"extra\": {\"authentication.kubernetes.io/credential-id\": [\"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\"]}, \"groups\": [\"system:masters\", \"system:authenticated\"], \"username\": \"minikube-user\"}, \"verb\": \"create\", \"level\": \"RequestResponse\", \"stage\": \"ResponseComplete\", \"auditID\": \"762eda6e-4122-4997-9a87-ada5442d43d5\", \"objectRef\": {\"name\": \"pod-hostnetwork\", \"resource\": \"pods\", \"namespace\": \"default\", \"apiVersion\": \"v1\"}, \"sourceIPs\": [\"1.2.3.4\"], \"userAgent\": \"kubectl/v1.32.5 (linux/amd64) kubernetes/9894294\", \"apiVersion\": \"audit.k8s.io/v1\", \"requestURI\": \"/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict\", \"annotations\": {\"authorization.k8s.io/reason\": \"\", \"authorization.k8s.io/decision\": \"allow\", \"pod-security.kubernetes.io/enforce-policy\": \"privileged:latest\"}, \"requestObject\": {\"kind\": \"Pod\", \"spec\": {\"dnsPolicy\": \"ClusterFirst\", \"containers\": [{\"name\": \"nginx\", \"image\": \"nginx\", \"ports\": [{\"hostPort\": 80, \"protocol\": \"TCP\", \"containerPort\": 80}], \"resources\": {}, \"imagePullPolicy\": \"Always\", \"terminationMessagePath\": \"/dev/termination-log\", \"terminationMessagePolicy\": \"File\"}], \"hostNetwork\": true, \"restartPolicy\": \"Always\", \"schedulerName\": \"default-scheduler\", \"securityContext\": {}, \"enableServiceLinks\": true, \"terminationGracePeriodSeconds\": 30}, \"status\": {}, \"metadata\": {\"name\": \"pod-hostnetwork\", \"namespace\": \"default\", \"annotations\": {\"kubectl.kubernetes.io/last-applied-configuration\": \"{\\\"apiVersion\\\":\\\"v1\\\",\\\"kind\\\":\\\"Pod\\\",\\\"metadata\\\":{\\\"annotations\\\":{},\\\"name\\\":\\\"pod-hostnetwork\\\",\\\"namespace\\\":\\\"default\\\"},\\\"spec\\\":{\\\"containers\\\":[{\\\"image\\\":\\\"nginx\\\",\\\"name\\\":\\\"nginx\\\",\\\"ports\\\":[{\\\"containerPort\\\":80}]}],\\\"hostNetwork\\\":true}}\\n\"}, \"creationTimestamp\": null}, \"apiVersion\": \"v1\"}, \"responseObject\": {\"kind\": \"Pod\", \"spec\": {\"volumes\": [{\"name\": \"kube-api-access-gt55x\", \"projected\": {\"sources\": [{\"serviceAccountToken\": {\"path\": \"token\", \"expirationSeconds\": 3607}}, {\"configMap\": {\"name\": \"kube-root-ca.crt\", \"items\": [{\"key\": \"ca.crt\", \"path\": \"ca.crt\"}]}}, {\"downwardAPI\": {\"items\": [{\"path\": \"namespace\", \"fieldRef\": {\"fieldPath\": \"metadata.namespace\", \"apiVersion\": \"v1\"}}]}}], \"defaultMode\": 420}}], \"priority\": 0, \"dnsPolicy\": \"ClusterFirst\", \"containers\": [{\"name\": \"nginx\", \"image\": \"nginx\", \"ports\": [{\"hostPort\": 80, \"protocol\": \"TCP\", \"containerPort\": 80}], \"resources\": {}, \"volumeMounts\": [{\"name\": \"kube-api-access-gt55x\", \"readOnly\": true, \"mountPath\": \"/var/run/secrets/kubernetes.io/serviceaccount\"}], \"imagePullPolicy\": \"Always\", \"terminationMessagePath\": \"/dev/termination-log\", \"terminationMessagePolicy\": \"File\"}], \"hostNetwork\": true, \"tolerations\": [{\"key\": \"node.kubernetes.io/not-ready\", \"effect\": \"NoExecute\", \"operator\": \"Exists\", \"tolerationSeconds\": 300}, {\"key\": \"node.kubernetes.io/unreachable\", \"effect\": \"NoExecute\", \"operator\": \"Exists\", \"tolerationSeconds\": 300}], \"restartPolicy\": \"Always\", \"schedulerName\": \"default-scheduler\", \"serviceAccount\": \"default\", \"securityContext\": {}, \"preemptionPolicy\": \"PreemptLowerPriority\", \"enableServiceLinks\": true, \"serviceAccountName\": \"default\", \"terminationGracePeriodSeconds\": 30}, \"status\": {\"phase\": \"Pending\", \"qosClass\": \"BestEffort\"}, \"metadata\": {\"uid\": \"e8303c60-6322-4241-a0ce-7ad41ffb167b\", \"name\": \"pod-hostnetwork\", \"namespace\": \"default\", \"annotations\": {\"kubectl.kubernetes.io/last-applied-configuration\": \"{\\\"apiVersion\\\":\\\"v1\\\",\\\"kind\\\":\\\"Pod\\\",\\\"metadata\\\":{\\\"annotations\\\":{},\\\"name\\\":\\\"pod-hostnetwork\\\",\\\"namespace\\\":\\\"default\\\"},\\\"spec\\\":{\\\"containers\\\":[{\\\"image\\\":\\\"nginx\\\",\\\"name\\\":\\\"nginx\\\",\\\"ports\\\":[{\\\"containerPort\\\":80}]}],\\\"hostNetwork\\\":true}}\\n\"}, \"managedFields\": [{\"time\": \"2025-05-22T13:06:12Z\", \"manager\": \"kubectl-client-side-apply\", \"fieldsV1\": {\"f:spec\": {\"f:dnsPolicy\": {}, \"f:containers\": {\"k:{\\\"name\\\":\\\"nginx\\\"}\": {\".\": {}, \"f:name\": {}, \"f:image\": {}, \"f:ports\": {\".\": {}, \"k:{\\\"containerPort\\\":80,\\\"protocol\\\":\\\"TCP\\\"}\": {\".\": {}, \"f:hostPort\": {}, \"f:protocol\": {}, \"f:containerPort\": {}}}, \"f:resources\": {}, \"f:imagePullPolicy\": {}, \"f:terminationMessagePath\": {}, \"f:terminationMessagePolicy\": {}}}, \"f:hostNetwork\": {}, \"f:restartPolicy\": {}, \"f:schedulerName\": {}, \"f:securityContext\": {}, \"f:enableServiceLinks\": {}, \"f:terminationGracePeriodSeconds\": {}}, \"f:metadata\": {\"f:annotations\": {\".\": {}, \"f:kubectl.kubernetes.io/last-applied-configuration\": {}}}}, \"operation\": \"Update\", \"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\"}], \"resourceVersion\": \"12581\", \"creationTimestamp\": \"2025-05-22T13:06:12Z\"}, \"apiVersion\": \"v1\"}, \"responseStatus\": {\"code\": 201, \"metadata\": {}}, \"stageTimestamp\": \"2025-05-22T13:06:12.975266Z\", \"requestReceivedTimestamp\": \"2025-05-22T13:06:12.952499Z\"}",
    "event": {
        "action": "create",
        "code": "762eda6e-4122-4997-9a87-ada5442d43d5",
        "outcome": "allow",
        "start": "2025-05-22T13:06:12.952499Z"
    },
    "action": {
        "outcome": "allow"
    },
    "http": {
        "response": {
            "status_code": 201
        }
    },
    "kubernetes": {
        "namespace": "default",
        "object": {
            "name": "pod-hostnetwork"
        },
        "resource": "pods",
        "spec": {
            "containers": [
                {
                    "image": "nginx",
                    "imagePullPolicy": "Always",
                    "name": "nginx",
                    "ports": [
                        {
                            "containerPort": 80,
                            "hostPort": 80,
                            "protocol": "TCP"
                        }
                    ],
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "File"
                }
            ],
            "host_network": true
        }
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "minikube-user"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "url": {
        "path": "/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
    },
    "user": {
        "name": "minikube-user",
        "roles": [
            "system:authenticated",
            "system:masters"
        ]
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
        "os": {
            "name": "Linux"
        }
    }
}
{
    "message": "{\"kind\": \"Event\", \"user\": {\"extra\": {\"authentication.kubernetes.io/credential-id\": [\"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\"]}, \"groups\": [\"system:masters\", \"system:authenticated\"], \"username\": \"minikube-user\"}, \"verb\": \"create\", \"level\": \"RequestResponse\", \"stage\": \"ResponseComplete\", \"auditID\": \"29480e0b-5b7a-43b0-8618-d5122aff5817\", \"objectRef\": {\"name\": \"pod-hostpath\", \"resource\": \"pods\", \"namespace\": \"default\", \"apiVersion\": \"v1\"}, \"sourceIPs\": [\"1.2.3.4\"], \"userAgent\": \"kubectl/v1.32.5 (linux/amd64) kubernetes/9894294\", \"apiVersion\": \"audit.k8s.io/v1\", \"requestURI\": \"/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict\", \"annotations\": {\"authorization.k8s.io/reason\": \"\", \"authorization.k8s.io/decision\": \"allow\", \"pod-security.kubernetes.io/enforce-policy\": \"privileged:latest\"}, \"requestObject\": {\"kind\": \"Pod\", \"spec\": {\"volumes\": [{\"name\": \"host-volume\", \"hostPath\": {\"path\": \"/tmp/testdir\", \"type\": \"DirectoryOrCreate\"}}], \"dnsPolicy\": \"ClusterFirst\", \"containers\": [{\"name\": \"test-container\", \"image\": \"ubuntu:24.04\", \"command\": [\"bash\", \"-c\", \"sleep infinity\"], \"resources\": {}, \"volumeMounts\": [{\"name\": \"host-volume\", \"mountPath\": \"/mnt/host\"}], \"imagePullPolicy\": \"IfNotPresent\", \"terminationMessagePath\": \"/dev/termination-log\", \"terminationMessagePolicy\": \"File\"}], \"restartPolicy\": \"Always\", \"schedulerName\": \"default-scheduler\", \"securityContext\": {}, \"enableServiceLinks\": true, \"terminationGracePeriodSeconds\": 30}, \"status\": {}, \"metadata\": {\"name\": \"pod-hostpath\", \"namespace\": \"default\", \"annotations\": {\"kubectl.kubernetes.io/last-applied-configuration\": \"{\\\"apiVersion\\\":\\\"v1\\\",\\\"kind\\\":\\\"Pod\\\",\\\"metadata\\\":{\\\"annotations\\\":{},\\\"name\\\":\\\"pod-hostpath\\\",\\\"namespace\\\":\\\"default\\\"},\\\"spec\\\":{\\\"containers\\\":[{\\\"command\\\":[\\\"bash\\\",\\\"-c\\\",\\\"sleep infinity\\\"],\\\"image\\\":\\\"ubuntu:24.04\\\",\\\"name\\\":\\\"test-container\\\",\\\"volumeMounts\\\":[{\\\"mountPath\\\":\\\"/mnt/host\\\",\\\"name\\\":\\\"host-volume\\\"}]}],\\\"volumes\\\":[{\\\"hostPath\\\":{\\\"path\\\":\\\"/tmp/testdir\\\",\\\"type\\\":\\\"DirectoryOrCreate\\\"},\\\"name\\\":\\\"host-volume\\\"}]}}\\n\"}, \"creationTimestamp\": null}, \"apiVersion\": \"v1\"}, \"responseObject\": {\"kind\": \"Pod\", \"spec\": {\"volumes\": [{\"name\": \"host-volume\", \"hostPath\": {\"path\": \"/tmp/testdir\", \"type\": \"DirectoryOrCreate\"}}, {\"name\": \"kube-api-access-5xkx2\", \"projected\": {\"sources\": [{\"serviceAccountToken\": {\"path\": \"token\", \"expirationSeconds\": 3607}}, {\"configMap\": {\"name\": \"kube-root-ca.crt\", \"items\": [{\"key\": \"ca.crt\", \"path\": \"ca.crt\"}]}}, {\"downwardAPI\": {\"items\": [{\"path\": \"namespace\", \"fieldRef\": {\"fieldPath\": \"metadata.namespace\", \"apiVersion\": \"v1\"}}]}}], \"defaultMode\": 420}}], \"priority\": 0, \"dnsPolicy\": \"ClusterFirst\", \"containers\": [{\"name\": \"test-container\", \"image\": \"ubuntu:24.04\", \"command\": [\"bash\", \"-c\", \"sleep infinity\"], \"resources\": {}, \"volumeMounts\": [{\"name\": \"host-volume\", \"mountPath\": \"/mnt/host\"}, {\"name\": \"kube-api-access-5xkx2\", \"readOnly\": true, \"mountPath\": \"/var/run/secrets/kubernetes.io/serviceaccount\"}], \"imagePullPolicy\": \"IfNotPresent\", \"terminationMessagePath\": \"/dev/termination-log\", \"terminationMessagePolicy\": \"File\"}], \"tolerations\": [{\"key\": \"node.kubernetes.io/not-ready\", \"effect\": \"NoExecute\", \"operator\": \"Exists\", \"tolerationSeconds\": 300}, {\"key\": \"node.kubernetes.io/unreachable\", \"effect\": \"NoExecute\", \"operator\": \"Exists\", \"tolerationSeconds\": 300}], \"restartPolicy\": \"Always\", \"schedulerName\": \"default-scheduler\", \"serviceAccount\": \"default\", \"securityContext\": {}, \"preemptionPolicy\": \"PreemptLowerPriority\", \"enableServiceLinks\": true, \"serviceAccountName\": \"default\", \"terminationGracePeriodSeconds\": 30}, \"status\": {\"phase\": \"Pending\", \"qosClass\": \"BestEffort\"}, \"metadata\": {\"uid\": \"31182568-10d0-4f5d-815c-40145be2c09a\", \"name\": \"pod-hostpath\", \"namespace\": \"default\", \"annotations\": {\"kubectl.kubernetes.io/last-applied-configuration\": \"{\\\"apiVersion\\\":\\\"v1\\\",\\\"kind\\\":\\\"Pod\\\",\\\"metadata\\\":{\\\"annotations\\\":{},\\\"name\\\":\\\"pod-hostpath\\\",\\\"namespace\\\":\\\"default\\\"},\\\"spec\\\":{\\\"containers\\\":[{\\\"command\\\":[\\\"bash\\\",\\\"-c\\\",\\\"sleep infinity\\\"],\\\"image\\\":\\\"ubuntu:24.04\\\",\\\"name\\\":\\\"test-container\\\",\\\"volumeMounts\\\":[{\\\"mountPath\\\":\\\"/mnt/host\\\",\\\"name\\\":\\\"host-volume\\\"}]}],\\\"volumes\\\":[{\\\"hostPath\\\":{\\\"path\\\":\\\"/tmp/testdir\\\",\\\"type\\\":\\\"DirectoryOrCreate\\\"},\\\"name\\\":\\\"host-volume\\\"}]}}\\n\"}, \"managedFields\": [{\"time\": \"2025-05-22T13:23:44Z\", \"manager\": \"kubectl-client-side-apply\", \"fieldsV1\": {\"f:spec\": {\"f:volumes\": {\".\": {}, \"k:{\\\"name\\\":\\\"host-volume\\\"}\": {\".\": {}, \"f:name\": {}, \"f:hostPath\": {\".\": {}, \"f:path\": {}, \"f:type\": {}}}}, \"f:dnsPolicy\": {}, \"f:containers\": {\"k:{\\\"name\\\":\\\"test-container\\\"}\": {\".\": {}, \"f:name\": {}, \"f:image\": {}, \"f:command\": {}, \"f:resources\": {}, \"f:volumeMounts\": {\".\": {}, \"k:{\\\"mountPath\\\":\\\"/mnt/host\\\"}\": {\".\": {}, \"f:name\": {}, \"f:mountPath\": {}}}, \"f:imagePullPolicy\": {}, \"f:terminationMessagePath\": {}, \"f:terminationMessagePolicy\": {}}}, \"f:restartPolicy\": {}, \"f:schedulerName\": {}, \"f:securityContext\": {}, \"f:enableServiceLinks\": {}, \"f:terminationGracePeriodSeconds\": {}}, \"f:metadata\": {\"f:annotations\": {\".\": {}, \"f:kubectl.kubernetes.io/last-applied-configuration\": {}}}}, \"operation\": \"Update\", \"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\"}], \"resourceVersion\": \"13438\", \"creationTimestamp\": \"2025-05-22T13:23:44Z\"}, \"apiVersion\": \"v1\"}, \"responseStatus\": {\"code\": 201, \"metadata\": {}}, \"stageTimestamp\": \"2025-05-22T13:23:44.890020Z\", \"requestReceivedTimestamp\": \"2025-05-22T13:23:44.884869Z\"}",
    "event": {
        "action": "create",
        "code": "29480e0b-5b7a-43b0-8618-d5122aff5817",
        "outcome": "allow",
        "start": "2025-05-22T13:23:44.884869Z"
    },
    "action": {
        "outcome": "allow"
    },
    "http": {
        "response": {
            "status_code": 201
        }
    },
    "kubernetes": {
        "namespace": "default",
        "object": {
            "name": "pod-hostpath"
        },
        "resource": "pods",
        "spec": {
            "containers": [
                {
                    "command": [
                        "bash",
                        "-c",
                        "sleep infinity"
                    ],
                    "image": "ubuntu:24.04",
                    "imagePullPolicy": "IfNotPresent",
                    "name": "test-container",
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "File",
                    "volumeMounts": [
                        {
                            "mountPath": "/mnt/host",
                            "name": "host-volume"
                        }
                    ]
                }
            ],
            "volumes": [
                {
                    "hostPath": {
                        "path": "/tmp/testdir",
                        "type": "DirectoryOrCreate"
                    },
                    "name": "host-volume"
                }
            ]
        }
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "minikube-user"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "url": {
        "path": "/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
    },
    "user": {
        "name": "minikube-user",
        "roles": [
            "system:authenticated",
            "system:masters"
        ]
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
        "os": {
            "name": "Linux"
        }
    }
}
{
    "message": "{\"level\": \"RequestResponse\",\"auditID\": \"91afc40c-f1ef-4956-b85a-7e12d09511e9\",\"stage\": \"ResponseComplete\",\"requestURI\":\"/api/v1/namespaces/test/pods/test-1669140000-zp58r/exec?command=sh&container=test&stdin=true&stdout=true&tty=true\",\"verb\": \"create\",\"user\": {\"username\": \"user@mail.com\",\"groups\": [\"system:authenticated\"]},\"sourceIPs\": [\"192.168.0.1\"],\"userAgent\": \"kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f\",\"objectRef\": {\"resource\": \"pods\",\"namespace\": \"test\",\"name\": \"test-1669140000-zp58r\",\"apiVersion\": \"v1\",\"subresource\": \"exec\"},\"responseStatus\": {\"metadata\": {},\"code\": 101},\"requestReceivedTimestamp\": \"2022-11-23T14:36:45.243457Z\",\"stageTimestamp\": \"2022-11-23T14:36:53.531481Z\",\"annotations\": {\"authorization.k8s.io/decision\": \"allow\",\"authorization.k8s.io/reason\": \"RBAC: allowed by ClusterRoleBinding test-role-binding of ClusterRole test-admin to Group system:authenticated\"}}",
    "event": {
        "action": "create",
        "code": "91afc40c-f1ef-4956-b85a-7e12d09511e9",
        "outcome": "allow",
        "start": "2022-11-23T14:36:45.243457Z"
    },
    "action": {
        "outcome": "allow"
    },
    "http": {
        "response": {
            "status_code": 101
        }
    },
    "kubernetes": {
        "namespace": "test",
        "object": {
            "name": "test-1669140000-zp58r"
        },
        "rbacreason": "RBAC: allowed by ClusterRoleBinding test-role-binding of ClusterRole test-admin to Group system:authenticated",
        "resource": "pods",
        "subresource": "exec"
    },
    "related": {
        "ip": [
            "192.168.0.1"
        ],
        "user": [
            "user@mail.com"
        ]
    },
    "source": {
        "address": "192.168.0.1",
        "ip": "192.168.0.1"
    },
    "url": {
        "path": "/api/v1/namespaces/test/pods/test-1669140000-zp58r/exec?command=sh&container=test&stdin=true&stdout=true&tty=true"
    },
    "user": {
        "name": "user@mail.com",
        "roles": [
            "system:authenticated"
        ]
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f",
        "os": {
            "name": "Linux"
        }
    }
}
{
    "message": "{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"Request\",\"auditID\":\"bdeb089c-5d70-4776-b6af-88e739fb0dd5\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/api/v1/namespaces/support/pods?limit=500\",\"verb\":\"list\",\"user\":{\"username\":\"system:serviceaccount:pinniped-concierge:pinniped-concierge-impersonation-proxy\",\"uid\":\"6258bd11-9713-442b-bbed-2587a76975d9\",\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:pinniped-concierge\",\"system:authenticated\"],\"extra\":{\"authentication.kubernetes.io/credential-id\":[\"JTI=581d10f3-b521-480f-aa42-bcd6a70df8ea\"]}},\"impersonatedUser\":{\"username\":\"john.doe@example.org\",\"groups\":[\"admin\",\"system:authenticated\"]},\"sourceIPs\":[\"1.1.1.1\",\"2.2.2.2\"],\"userAgent\":\"kubectl/v1.29.2 (linux/amd64) kubernetes/4b8e819\",\"objectRef\":{\"resource\":\"pods\",\"namespace\":\"support\",\"apiVersion\":\"v1\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestReceivedTimestamp\":\"2025-01-23T14:56:02.374424Z\",\"stageTimestamp\":\"2025-01-23T14:56:02.400865Z\",\"annotations\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"pinniped-admin-role-binding\\\" of ClusterRole \\\"cluster-admin\\\" to Group \\\"admin\\\"\"}}\n",
    "event": {
        "action": "list",
        "code": "bdeb089c-5d70-4776-b6af-88e739fb0dd5",
        "outcome": "allow",
        "start": "2025-01-23T14:56:02.374424Z"
    },
    "action": {
        "outcome": "allow"
    },
    "http": {
        "response": {
            "status_code": 200
        }
    },
    "kubernetes": {
        "namespace": "support",
        "rbacreason": "RBAC: allowed by ClusterRoleBinding \"pinniped-admin-role-binding\" of ClusterRole \"cluster-admin\" to Group \"admin\"",
        "resource": "pods"
    },
    "related": {
        "ip": [
            "1.1.1.1"
        ],
        "user": [
            "john.doe@example.org"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    },
    "url": {
        "path": "/api/v1/namespaces/support/pods?limit=500"
    },
    "user": {
        "id": "6258bd11-9713-442b-bbed-2587a76975d9",
        "name": "john.doe@example.org",
        "roles": [
            "admin",
            "system:authenticated"
        ]
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "kubectl/v1.29.2 (linux/amd64) kubernetes/4b8e819",
        "os": {
            "name": "Linux"
        }
    }
}
{
    "message": "{\"level\":\"RequestResponse\",\"auditID\":\"bbd6d83f-4b6d-4a3d-b3cd-840a0691c19f\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/apis/apps/v1/namespaces/test/deployments/test/scale\",\"verb\":\"patch\",\"user\":{\"username\":\"user@mail.com\",\"groups\":[\"system:authenticated\"]},\"sourceIPs\":[\"192.168.0.1\"],\"userAgent\":\"kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19\",\"objectRef\":{\"resource\":\"deployments\",\"namespace\":\"test\",\"apiGroup\":\"apps\",\"apiVersion\":\"v1\",\"subresource\":\"scale\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestObject\":{\"spec\":{\"replicas\":3}},\"responseObject\":{\"kind\":\"Scale\",\"apiVersion\":\"autoscaling/v1\",\"metadata\":{\"name\":\"test\",\"namespace\":\"test\",\"selfLink\":\"/apis/apps/v1/namespaces/test/deployments/test/scale\",\"uid\":\"7e649fbd-ca1b-4e30-b763-1b52527c774b\",\"resourceVersion\":\"1368503426\",\"creationTimestamp\":\"2020-01-24T17:04:30Z\"},\"spec\":{\"replicas\":3},\"status\":{\"replicas\":2,\"selector\":\"test=test\"}},\"requestReceivedTimestamp\":\"2022-11-23T13:10:04.499444Z\",\"stageTimestamp\":\"2022-11-23T13:10:04.514995Z\",\"annotations\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"test-role-binding\\\" of ClusterRole \\\"test-admin\\\" to Group \\\"system:authenticated\\\"\"}}",
    "event": {
        "action": "patch",
        "code": "bbd6d83f-4b6d-4a3d-b3cd-840a0691c19f",
        "outcome": "allow",
        "start": "2022-11-23T13:10:04.499444Z"
    },
    "action": {
        "outcome": "allow"
    },
    "http": {
        "response": {
            "status_code": 200
        }
    },
    "kubernetes": {
        "api": {
            "group": "apps"
        },
        "namespace": "test",
        "object": {
            "name": "test"
        },
        "rbacreason": "RBAC: allowed by ClusterRoleBinding \"test-role-binding\" of ClusterRole \"test-admin\" to Group \"system:authenticated\"",
        "resource": "deployments",
        "subresource": "scale"
    },
    "related": {
        "ip": [
            "192.168.0.1"
        ],
        "user": [
            "user@mail.com"
        ]
    },
    "source": {
        "address": "192.168.0.1",
        "ip": "192.168.0.1"
    },
    "url": {
        "path": "/apis/apps/v1/namespaces/test/deployments/test/scale"
    },
    "user": {
        "name": "user@mail.com",
        "roles": [
            "system:authenticated"
        ]
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19",
        "os": {
            "name": "Linux"
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
event.action keyword The action captured by the event.
event.code keyword Identification code for this event.
event.start date event.start contains the date when the event started or when the activity was first observed.
http.response.status_code long HTTP response status code.
kubernetes.api.group keyword
kubernetes.namespace keyword kubernetes.namespace
kubernetes.object.name keyword kubernetes.object.name
kubernetes.rbacreason keyword kubernetes.rbacreason
kubernetes.resource keyword kubernetes.resource
kubernetes.role.name keyword
kubernetes.spec.host_network boolean
kubernetes.subresource keyword kubernetes.subresource
source.ip ip IP address of the source.
url.path wildcard Path of the request, such as "/search".
user.id keyword Unique identifier of the user.
user.name keyword Short name or login of the user.
user.roles keyword Array of user roles at the time of the event.
user_agent.original keyword Unparsed user_agent string.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.

Support

If you need assistance with this integration, please contact our support team at support.sekoia.io.