Kubernetes Audit Logs
Overview
Kubernetes is an open-source container orchestration system for automating software deployment, scaling and managment.
In this documentation, you will learn how to configure, collect and send Kubernetes Audit logs to SEKOIA.IO.
- Supported environment: On Premise / SaaS
Configuration of Kubernetes
Enable the audit logs in kubernetes:
- Audit logs are disabled by default. To enable them, you need to specify an audit file path in your API server configuration :
kube-apiserver
[...]
--audit-log-path=/var/log/kubernetes/apiserver/audit.log
--audit-policy-file=/etc/kubernetes/audit-policies/policy.yaml
-
Create the policy file at /etc/kubernetes/audit-policies/policy.yaml to specify the types of API requests you want to log in your audit logs file. The kubernetes audit policy has different levels:
None
- don't log events that match this rule.Metadata
- log events with metadata (requesting user, timestamp, resource, verb, etc.) but not request or response body.Request
- log events with request metadata and body but not response body. This does not apply for non-resource requests.RequestResponse
- log events with request metadata, request body and response body. This does not apply for non-resource requests.
-
You can use this minimal audit policy file to log all requests at the
Metadata
level:
# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
For more information about Kubernetes audit logs, please visit kubernetes website.
Collect Configuration
- Enable the log collection in your DaemonSet, there are disabled by default:
env:
# (...)
- name: DD_LOGS_ENABLED
value: 'true'
- Mount the audit log directory in a path where the Sekoia Agent collect the log file. For that you need to update your daemonset:
# (...)
volumeMounts:
# (...)
- name: auditdir
mountPath: /var/log/kubernetes/apiserver
# (...)
volumes:
# (...)
- hostPath:
path: /var/log/kubernetes/apiserver
name: auditdir
# (...)
Create the intake
-
Go to the intake page and create a new intake from the format
Kubernetes
. -
Update the Agent configuration:
logfiles:
- filepath: /var/log/kubernetes/apiserver/audit.log # Path to the file to watch
intakekey: {intake key} # Intake key to use to send the events
- Once the configuration file is modified, restart the agent:Once the configuration file is modified, restart the agent.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"kind": "Event",
"user": {
"extra": {
"authentication.kubernetes.io/credential-id": [
"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
]
},
"groups": [
"system:masters",
"system:authenticated"
],
"username": "minikube-user"
},
"verb": "create",
"level": "RequestResponse",
"stage": "ResponseComplete",
"auditID": "cc1dcb56-f0e4-4720-bad1-433ce652add7",
"objectRef": {
"name": "example-admin-binding",
"apiGroup": "rbac.authorization.k8s.io",
"resource": "clusterrolebindings",
"apiVersion": "v1"
},
"sourceIPs": [
"1.2.3.4"
],
"userAgent": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
"apiVersion": "audit.k8s.io/v1",
"requestURI": "/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?fieldManager=kubectl-create&fieldValidation=Strict",
"annotations": {
"authorization.k8s.io/reason": "",
"authorization.k8s.io/decision": "allow"
},
"requestObject": {
"kind": "ClusterRoleBinding",
"roleRef": {
"kind": "ClusterRole",
"name": "cluster-admin",
"apiGroup": "rbac.authorization.k8s.io"
},
"metadata": {
"name": "example-admin-binding",
"creationTimestamp": null
},
"subjects": [
{
"kind": "ServiceAccount",
"name": "example",
"namespace": "default"
}
],
"apiVersion": "rbac.authorization.k8s.io/v1"
},
"responseObject": {
"kind": "ClusterRoleBinding",
"roleRef": {
"kind": "ClusterRole",
"name": "cluster-admin",
"apiGroup": "rbac.authorization.k8s.io"
},
"metadata": {
"uid": "63d6ae6a-e969-495c-b7ab-b730b203501c",
"name": "example-admin-binding",
"managedFields": [
{
"time": "2025-05-22T12:23:08Z",
"manager": "kubectl-create",
"fieldsV1": {
"f:roleRef": {},
"f:subjects": {}
},
"operation": "Update",
"apiVersion": "rbac.authorization.k8s.io/v1",
"fieldsType": "FieldsV1"
}
],
"resourceVersion": "10616",
"creationTimestamp": "2025-05-22T12:23:08Z"
},
"subjects": [
{
"kind": "ServiceAccount",
"name": "example",
"namespace": "default"
}
],
"apiVersion": "rbac.authorization.k8s.io/v1"
},
"responseStatus": {
"code": 201,
"metadata": {}
},
"stageTimestamp": "2025-05-22T12:23:08.704223Z",
"requestReceivedTimestamp": "2025-05-22T12:23:08.702110Z"
}
{
"kind": "Event",
"user": {
"extra": {
"authentication.kubernetes.io/credential-id": [
"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
]
},
"groups": [
"system:masters",
"system:authenticated"
],
"username": "minikube-user"
},
"verb": "create",
"level": "RequestResponse",
"stage": "ResponseComplete",
"auditID": "2028e1f9-4561-4668-9df4-bc0dcd3ae11b",
"objectRef": {
"name": "example-admin-binding",
"apiGroup": "rbac.authorization.k8s.io",
"resource": "clusterrolebindings",
"apiVersion": "v1"
},
"sourceIPs": [
"1.2.3.4"
],
"userAgent": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
"apiVersion": "audit.k8s.io/v1",
"requestURI": "/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?fieldManager=kubectl-create&fieldValidation=Strict",
"annotations": {
"authorization.k8s.io/reason": "",
"authorization.k8s.io/decision": "allow"
},
"requestObject": {
"kind": "ClusterRoleBinding",
"roleRef": {
"kind": "ClusterRole",
"name": "cluster-admin",
"apiGroup": "rbac.authorization.k8s.io"
},
"metadata": {
"name": "example-admin-binding",
"creationTimestamp": null
},
"subjects": [
{
"kind": "ServiceAccount",
"name": "example",
"namespace": "default"
}
],
"apiVersion": "rbac.authorization.k8s.io/v1"
},
"responseObject": {
"kind": "ClusterRoleBinding",
"roleRef": {
"kind": "ClusterRole",
"name": "cluster-admin",
"apiGroup": "rbac.authorization.k8s.io"
},
"metadata": {
"uid": "804440c7-256c-4187-84f3-1e644906db18",
"name": "example-admin-binding",
"managedFields": [
{
"time": "2025-05-22T12:23:08Z",
"manager": "kubectl-create",
"fieldsV1": {
"f:roleRef": {},
"f:subjects": {}
},
"operation": "Update",
"apiVersion": "rbac.authorization.k8s.io/v1",
"fieldsType": "FieldsV1"
}
],
"resourceVersion": "10616",
"creationTimestamp": "2025-05-22T12:23:08Z"
},
"subjects": [
{
"kind": "ServiceAccount",
"name": "example",
"namespace": "default"
}
],
"apiVersion": "rbac.authorization.k8s.io/v1"
},
"responseStatus": {
"code": 201,
"metadata": {}
},
"stageTimestamp": "2025-05-22T12:23:08.704223Z",
"requestReceivedTimestamp": "2025-05-22T12:23:08.702110Z"
}
{
"kind": "Event",
"user": {
"extra": {
"authentication.kubernetes.io/credential-id": [
"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
]
},
"groups": [
"system:masters",
"system:authenticated"
],
"username": "minikube-user"
},
"verb": "create",
"level": "RequestResponse",
"stage": "ResponseComplete",
"auditID": "8cb523a6-0be6-4198-8886-ed4fa57bd375",
"objectRef": {
"name": "priv-shell",
"resource": "pods",
"namespace": "default",
"apiVersion": "v1"
},
"sourceIPs": [
"1.2.3.4"
],
"userAgent": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
"apiVersion": "audit.k8s.io/v1",
"requestURI": "/api/v1/namespaces/default/pods?fieldManager=kubectl-run",
"annotations": {
"authorization.k8s.io/reason": "",
"authorization.k8s.io/decision": "allow",
"pod-security.kubernetes.io/enforce-policy": "privileged:latest"
},
"requestObject": {
"kind": "Pod",
"spec": {
"dnsPolicy": "ClusterFirst",
"containers": [
{
"name": "shell",
"image": "ubuntu:24.04",
"command": [
"bash",
"-c",
"sleep infinity"
],
"resources": {},
"imagePullPolicy": "IfNotPresent",
"securityContext": {
"privileged": true
},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File"
}
],
"restartPolicy": "Never",
"schedulerName": "default-scheduler",
"securityContext": {},
"enableServiceLinks": true,
"terminationGracePeriodSeconds": 30
},
"status": {},
"metadata": {
"name": "priv-shell",
"labels": {
"run": "priv-shell"
},
"creationTimestamp": null
},
"apiVersion": "v1"
},
"responseObject": {
"kind": "Pod",
"spec": {
"volumes": [
{
"name": "kube-api-access-cmszt",
"projected": {
"sources": [
{
"serviceAccountToken": {
"path": "token",
"expirationSeconds": 3607
}
},
{
"configMap": {
"name": "kube-root-ca.crt",
"items": [
{
"key": "ca.crt",
"path": "ca.crt"
}
]
}
},
{
"downwardAPI": {
"items": [
{
"path": "namespace",
"fieldRef": {
"fieldPath": "metadata.namespace",
"apiVersion": "v1"
}
}
]
}
}
],
"defaultMode": 420
}
}
],
"priority": 0,
"dnsPolicy": "ClusterFirst",
"containers": [
{
"name": "shell",
"image": "ubuntu:24.04",
"command": [
"bash",
"-c",
"sleep infinity"
],
"resources": {},
"volumeMounts": [
{
"name": "kube-api-access-cmszt",
"readOnly": true,
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
}
],
"imagePullPolicy": "IfNotPresent",
"securityContext": {
"privileged": true
},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File"
}
],
"tolerations": [
{
"key": "node.kubernetes.io/not-ready",
"effect": "NoExecute",
"operator": "Exists",
"tolerationSeconds": 300
},
{
"key": "node.kubernetes.io/unreachable",
"effect": "NoExecute",
"operator": "Exists",
"tolerationSeconds": 300
}
],
"restartPolicy": "Never",
"schedulerName": "default-scheduler",
"serviceAccount": "default",
"securityContext": {},
"preemptionPolicy": "PreemptLowerPriority",
"enableServiceLinks": true,
"serviceAccountName": "default",
"terminationGracePeriodSeconds": 30
},
"status": {
"phase": "Pending",
"qosClass": "BestEffort"
},
"metadata": {
"uid": "b213474e-679f-43e4-8e26-6bfde524ba34",
"name": "priv-shell",
"labels": {
"run": "priv-shell"
},
"namespace": "default",
"managedFields": [
{
"time": "2025-05-22T13:14:38Z",
"manager": "kubectl-run",
"fieldsV1": {
"f:spec": {
"f:dnsPolicy": {},
"f:containers": {
"k:{\"name\":\"shell\"}": {
".": {},
"f:name": {},
"f:image": {},
"f:command": {},
"f:resources": {},
"f:imagePullPolicy": {},
"f:securityContext": {
".": {},
"f:privileged": {}
},
"f:terminationMessagePath": {},
"f:terminationMessagePolicy": {}
}
},
"f:restartPolicy": {},
"f:schedulerName": {},
"f:securityContext": {},
"f:enableServiceLinks": {},
"f:terminationGracePeriodSeconds": {}
},
"f:metadata": {
"f:labels": {
".": {},
"f:run": {}
}
}
},
"operation": "Update",
"apiVersion": "v1",
"fieldsType": "FieldsV1"
}
],
"resourceVersion": "12992",
"creationTimestamp": "2025-05-22T13:14:38Z"
},
"apiVersion": "v1"
},
"responseStatus": {
"code": 201,
"metadata": {}
},
"stageTimestamp": "2025-05-22T13:14:38.223786Z",
"requestReceivedTimestamp": "2025-05-22T13:14:38.218223Z"
}
{
"kind": "Event",
"user": {
"extra": {
"authentication.kubernetes.io/credential-id": [
"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
]
},
"groups": [
"system:masters",
"system:authenticated"
],
"username": "minikube-user"
},
"verb": "create",
"level": "RequestResponse",
"stage": "ResponseComplete",
"auditID": "762eda6e-4122-4997-9a87-ada5442d43d5",
"objectRef": {
"name": "pod-hostnetwork",
"resource": "pods",
"namespace": "default",
"apiVersion": "v1"
},
"sourceIPs": [
"1.2.3.4"
],
"userAgent": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
"apiVersion": "audit.k8s.io/v1",
"requestURI": "/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict",
"annotations": {
"authorization.k8s.io/reason": "",
"authorization.k8s.io/decision": "allow",
"pod-security.kubernetes.io/enforce-policy": "privileged:latest"
},
"requestObject": {
"kind": "Pod",
"spec": {
"dnsPolicy": "ClusterFirst",
"containers": [
{
"name": "nginx",
"image": "nginx",
"ports": [
{
"hostPort": 80,
"protocol": "TCP",
"containerPort": 80
}
],
"resources": {},
"imagePullPolicy": "Always",
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File"
}
],
"hostNetwork": true,
"restartPolicy": "Always",
"schedulerName": "default-scheduler",
"securityContext": {},
"enableServiceLinks": true,
"terminationGracePeriodSeconds": 30
},
"status": {},
"metadata": {
"name": "pod-hostnetwork",
"namespace": "default",
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"pod-hostnetwork\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"nginx\",\"name\":\"nginx\",\"ports\":[{\"containerPort\":80}]}],\"hostNetwork\":true}}\n"
},
"creationTimestamp": null
},
"apiVersion": "v1"
},
"responseObject": {
"kind": "Pod",
"spec": {
"volumes": [
{
"name": "kube-api-access-gt55x",
"projected": {
"sources": [
{
"serviceAccountToken": {
"path": "token",
"expirationSeconds": 3607
}
},
{
"configMap": {
"name": "kube-root-ca.crt",
"items": [
{
"key": "ca.crt",
"path": "ca.crt"
}
]
}
},
{
"downwardAPI": {
"items": [
{
"path": "namespace",
"fieldRef": {
"fieldPath": "metadata.namespace",
"apiVersion": "v1"
}
}
]
}
}
],
"defaultMode": 420
}
}
],
"priority": 0,
"dnsPolicy": "ClusterFirst",
"containers": [
{
"name": "nginx",
"image": "nginx",
"ports": [
{
"hostPort": 80,
"protocol": "TCP",
"containerPort": 80
}
],
"resources": {},
"volumeMounts": [
{
"name": "kube-api-access-gt55x",
"readOnly": true,
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
}
],
"imagePullPolicy": "Always",
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File"
}
],
"hostNetwork": true,
"tolerations": [
{
"key": "node.kubernetes.io/not-ready",
"effect": "NoExecute",
"operator": "Exists",
"tolerationSeconds": 300
},
{
"key": "node.kubernetes.io/unreachable",
"effect": "NoExecute",
"operator": "Exists",
"tolerationSeconds": 300
}
],
"restartPolicy": "Always",
"schedulerName": "default-scheduler",
"serviceAccount": "default",
"securityContext": {},
"preemptionPolicy": "PreemptLowerPriority",
"enableServiceLinks": true,
"serviceAccountName": "default",
"terminationGracePeriodSeconds": 30
},
"status": {
"phase": "Pending",
"qosClass": "BestEffort"
},
"metadata": {
"uid": "e8303c60-6322-4241-a0ce-7ad41ffb167b",
"name": "pod-hostnetwork",
"namespace": "default",
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"pod-hostnetwork\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"nginx\",\"name\":\"nginx\",\"ports\":[{\"containerPort\":80}]}],\"hostNetwork\":true}}\n"
},
"managedFields": [
{
"time": "2025-05-22T13:06:12Z",
"manager": "kubectl-client-side-apply",
"fieldsV1": {
"f:spec": {
"f:dnsPolicy": {},
"f:containers": {
"k:{\"name\":\"nginx\"}": {
".": {},
"f:name": {},
"f:image": {},
"f:ports": {
".": {},
"k:{\"containerPort\":80,\"protocol\":\"TCP\"}": {
".": {},
"f:hostPort": {},
"f:protocol": {},
"f:containerPort": {}
}
},
"f:resources": {},
"f:imagePullPolicy": {},
"f:terminationMessagePath": {},
"f:terminationMessagePolicy": {}
}
},
"f:hostNetwork": {},
"f:restartPolicy": {},
"f:schedulerName": {},
"f:securityContext": {},
"f:enableServiceLinks": {},
"f:terminationGracePeriodSeconds": {}
},
"f:metadata": {
"f:annotations": {
".": {},
"f:kubectl.kubernetes.io/last-applied-configuration": {}
}
}
},
"operation": "Update",
"apiVersion": "v1",
"fieldsType": "FieldsV1"
}
],
"resourceVersion": "12581",
"creationTimestamp": "2025-05-22T13:06:12Z"
},
"apiVersion": "v1"
},
"responseStatus": {
"code": 201,
"metadata": {}
},
"stageTimestamp": "2025-05-22T13:06:12.975266Z",
"requestReceivedTimestamp": "2025-05-22T13:06:12.952499Z"
}
{
"kind": "Event",
"user": {
"extra": {
"authentication.kubernetes.io/credential-id": [
"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
]
},
"groups": [
"system:masters",
"system:authenticated"
],
"username": "minikube-user"
},
"verb": "create",
"level": "RequestResponse",
"stage": "ResponseComplete",
"auditID": "29480e0b-5b7a-43b0-8618-d5122aff5817",
"objectRef": {
"name": "pod-hostpath",
"resource": "pods",
"namespace": "default",
"apiVersion": "v1"
},
"sourceIPs": [
"1.2.3.4"
],
"userAgent": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
"apiVersion": "audit.k8s.io/v1",
"requestURI": "/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict",
"annotations": {
"authorization.k8s.io/reason": "",
"authorization.k8s.io/decision": "allow",
"pod-security.kubernetes.io/enforce-policy": "privileged:latest"
},
"requestObject": {
"kind": "Pod",
"spec": {
"volumes": [
{
"name": "host-volume",
"hostPath": {
"path": "/tmp/testdir",
"type": "DirectoryOrCreate"
}
}
],
"dnsPolicy": "ClusterFirst",
"containers": [
{
"name": "test-container",
"image": "ubuntu:24.04",
"command": [
"bash",
"-c",
"sleep infinity"
],
"resources": {},
"volumeMounts": [
{
"name": "host-volume",
"mountPath": "/mnt/host"
}
],
"imagePullPolicy": "IfNotPresent",
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File"
}
],
"restartPolicy": "Always",
"schedulerName": "default-scheduler",
"securityContext": {},
"enableServiceLinks": true,
"terminationGracePeriodSeconds": 30
},
"status": {},
"metadata": {
"name": "pod-hostpath",
"namespace": "default",
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"pod-hostpath\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"command\":[\"bash\",\"-c\",\"sleep infinity\"],\"image\":\"ubuntu:24.04\",\"name\":\"test-container\",\"volumeMounts\":[{\"mountPath\":\"/mnt/host\",\"name\":\"host-volume\"}]}],\"volumes\":[{\"hostPath\":{\"path\":\"/tmp/testdir\",\"type\":\"DirectoryOrCreate\"},\"name\":\"host-volume\"}]}}\n"
},
"creationTimestamp": null
},
"apiVersion": "v1"
},
"responseObject": {
"kind": "Pod",
"spec": {
"volumes": [
{
"name": "host-volume",
"hostPath": {
"path": "/tmp/testdir",
"type": "DirectoryOrCreate"
}
},
{
"name": "kube-api-access-5xkx2",
"projected": {
"sources": [
{
"serviceAccountToken": {
"path": "token",
"expirationSeconds": 3607
}
},
{
"configMap": {
"name": "kube-root-ca.crt",
"items": [
{
"key": "ca.crt",
"path": "ca.crt"
}
]
}
},
{
"downwardAPI": {
"items": [
{
"path": "namespace",
"fieldRef": {
"fieldPath": "metadata.namespace",
"apiVersion": "v1"
}
}
]
}
}
],
"defaultMode": 420
}
}
],
"priority": 0,
"dnsPolicy": "ClusterFirst",
"containers": [
{
"name": "test-container",
"image": "ubuntu:24.04",
"command": [
"bash",
"-c",
"sleep infinity"
],
"resources": {},
"volumeMounts": [
{
"name": "host-volume",
"mountPath": "/mnt/host"
},
{
"name": "kube-api-access-5xkx2",
"readOnly": true,
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
}
],
"imagePullPolicy": "IfNotPresent",
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File"
}
],
"tolerations": [
{
"key": "node.kubernetes.io/not-ready",
"effect": "NoExecute",
"operator": "Exists",
"tolerationSeconds": 300
},
{
"key": "node.kubernetes.io/unreachable",
"effect": "NoExecute",
"operator": "Exists",
"tolerationSeconds": 300
}
],
"restartPolicy": "Always",
"schedulerName": "default-scheduler",
"serviceAccount": "default",
"securityContext": {},
"preemptionPolicy": "PreemptLowerPriority",
"enableServiceLinks": true,
"serviceAccountName": "default",
"terminationGracePeriodSeconds": 30
},
"status": {
"phase": "Pending",
"qosClass": "BestEffort"
},
"metadata": {
"uid": "31182568-10d0-4f5d-815c-40145be2c09a",
"name": "pod-hostpath",
"namespace": "default",
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"pod-hostpath\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"command\":[\"bash\",\"-c\",\"sleep infinity\"],\"image\":\"ubuntu:24.04\",\"name\":\"test-container\",\"volumeMounts\":[{\"mountPath\":\"/mnt/host\",\"name\":\"host-volume\"}]}],\"volumes\":[{\"hostPath\":{\"path\":\"/tmp/testdir\",\"type\":\"DirectoryOrCreate\"},\"name\":\"host-volume\"}]}}\n"
},
"managedFields": [
{
"time": "2025-05-22T13:23:44Z",
"manager": "kubectl-client-side-apply",
"fieldsV1": {
"f:spec": {
"f:volumes": {
".": {},
"k:{\"name\":\"host-volume\"}": {
".": {},
"f:name": {},
"f:hostPath": {
".": {},
"f:path": {},
"f:type": {}
}
}
},
"f:dnsPolicy": {},
"f:containers": {
"k:{\"name\":\"test-container\"}": {
".": {},
"f:name": {},
"f:image": {},
"f:command": {},
"f:resources": {},
"f:volumeMounts": {
".": {},
"k:{\"mountPath\":\"/mnt/host\"}": {
".": {},
"f:name": {},
"f:mountPath": {}
}
},
"f:imagePullPolicy": {},
"f:terminationMessagePath": {},
"f:terminationMessagePolicy": {}
}
},
"f:restartPolicy": {},
"f:schedulerName": {},
"f:securityContext": {},
"f:enableServiceLinks": {},
"f:terminationGracePeriodSeconds": {}
},
"f:metadata": {
"f:annotations": {
".": {},
"f:kubectl.kubernetes.io/last-applied-configuration": {}
}
}
},
"operation": "Update",
"apiVersion": "v1",
"fieldsType": "FieldsV1"
}
],
"resourceVersion": "13438",
"creationTimestamp": "2025-05-22T13:23:44Z"
},
"apiVersion": "v1"
},
"responseStatus": {
"code": 201,
"metadata": {}
},
"stageTimestamp": "2025-05-22T13:23:44.890020Z",
"requestReceivedTimestamp": "2025-05-22T13:23:44.884869Z"
}
{
"level": "RequestResponse",
"auditID": "91afc40c-f1ef-4956-b85a-7e12d09511e9",
"stage": "ResponseComplete",
"requestURI": "/api/v1/namespaces/test/pods/test-1669140000-zp58r/exec?command=sh&container=test&stdin=true&stdout=true&tty=true",
"verb": "create",
"user": {
"username": "user@mail.com",
"groups": [
"system:authenticated"
]
},
"sourceIPs": [
"192.168.0.1"
],
"userAgent": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f",
"objectRef": {
"resource": "pods",
"namespace": "test",
"name": "test-1669140000-zp58r",
"apiVersion": "v1",
"subresource": "exec"
},
"responseStatus": {
"metadata": {},
"code": 101
},
"requestReceivedTimestamp": "2022-11-23T14:36:45.243457Z",
"stageTimestamp": "2022-11-23T14:36:53.531481Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding test-role-binding of ClusterRole test-admin to Group system:authenticated"
}
}
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Request",
"auditID": "bdeb089c-5d70-4776-b6af-88e739fb0dd5",
"stage": "ResponseComplete",
"requestURI": "/api/v1/namespaces/support/pods?limit=500",
"verb": "list",
"user": {
"username": "system:serviceaccount:pinniped-concierge:pinniped-concierge-impersonation-proxy",
"uid": "6258bd11-9713-442b-bbed-2587a76975d9",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:pinniped-concierge",
"system:authenticated"
],
"extra": {
"authentication.kubernetes.io/credential-id": [
"JTI=581d10f3-b521-480f-aa42-bcd6a70df8ea"
]
}
},
"impersonatedUser": {
"username": "john.doe@example.org",
"groups": [
"admin",
"system:authenticated"
]
},
"sourceIPs": [
"1.1.1.1",
"2.2.2.2"
],
"userAgent": "kubectl/v1.29.2 (linux/amd64) kubernetes/4b8e819",
"objectRef": {
"resource": "pods",
"namespace": "support",
"apiVersion": "v1"
},
"responseStatus": {
"metadata": {},
"code": 200
},
"requestReceivedTimestamp": "2025-01-23T14:56:02.374424Z",
"stageTimestamp": "2025-01-23T14:56:02.400865Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"pinniped-admin-role-binding\" of ClusterRole \"cluster-admin\" to Group \"admin\""
}
}
{
"level": "RequestResponse",
"auditID": "bbd6d83f-4b6d-4a3d-b3cd-840a0691c19f",
"stage": "ResponseComplete",
"requestURI": "/apis/apps/v1/namespaces/test/deployments/test/scale",
"verb": "patch",
"user": {
"username": "user@mail.com",
"groups": [
"system:authenticated"
]
},
"sourceIPs": [
"192.168.0.1"
],
"userAgent": "kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19",
"objectRef": {
"resource": "deployments",
"namespace": "test",
"apiGroup": "apps",
"apiVersion": "v1",
"subresource": "scale"
},
"responseStatus": {
"metadata": {},
"code": 200
},
"requestObject": {
"spec": {
"replicas": 3
}
},
"responseObject": {
"kind": "Scale",
"apiVersion": "autoscaling/v1",
"metadata": {
"name": "test",
"namespace": "test",
"selfLink": "/apis/apps/v1/namespaces/test/deployments/test/scale",
"uid": "7e649fbd-ca1b-4e30-b763-1b52527c774b",
"resourceVersion": "1368503426",
"creationTimestamp": "2020-01-24T17:04:30Z"
},
"spec": {
"replicas": 3
},
"status": {
"replicas": 2,
"selector": "test=test"
}
},
"requestReceivedTimestamp": "2022-11-23T13:10:04.499444Z",
"stageTimestamp": "2022-11-23T13:10:04.514995Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"test-role-binding\" of ClusterRole \"test-admin\" to Group \"system:authenticated\""
}
}
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Application logs |
Audit logs of Kubernetes clusters |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"kind\": \"Event\", \"user\": {\"extra\": {\"authentication.kubernetes.io/credential-id\": [\"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\"]}, \"groups\": [\"system:masters\", \"system:authenticated\"], \"username\": \"minikube-user\"}, \"verb\": \"create\", \"level\": \"RequestResponse\", \"stage\": \"ResponseComplete\", \"auditID\": \"cc1dcb56-f0e4-4720-bad1-433ce652add7\", \"objectRef\": {\"name\": \"example-admin-binding\", \"apiGroup\": \"rbac.authorization.k8s.io\", \"resource\": \"clusterrolebindings\", \"apiVersion\": \"v1\"}, \"sourceIPs\": [\"1.2.3.4\"], \"userAgent\": \"kubectl/v1.32.5 (linux/amd64) kubernetes/9894294\", \"apiVersion\": \"audit.k8s.io/v1\", \"requestURI\": \"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?fieldManager=kubectl-create&fieldValidation=Strict\", \"annotations\": {\"authorization.k8s.io/reason\": \"\", \"authorization.k8s.io/decision\": \"allow\"}, \"requestObject\": {\"kind\": \"ClusterRoleBinding\", \"roleRef\": {\"kind\": \"ClusterRole\", \"name\": \"cluster-admin\", \"apiGroup\": \"rbac.authorization.k8s.io\"}, \"metadata\": {\"name\": \"example-admin-binding\", \"creationTimestamp\": null}, \"subjects\": [{\"kind\": \"ServiceAccount\", \"name\": \"example\", \"namespace\": \"default\"}], \"apiVersion\": \"rbac.authorization.k8s.io/v1\"}, \"responseObject\": {\"kind\": \"ClusterRoleBinding\", \"roleRef\": {\"kind\": \"ClusterRole\", \"name\": \"cluster-admin\", \"apiGroup\": \"rbac.authorization.k8s.io\"}, \"metadata\": {\"uid\": \"63d6ae6a-e969-495c-b7ab-b730b203501c\", \"name\": \"example-admin-binding\", \"managedFields\": [{\"time\": \"2025-05-22T12:23:08Z\", \"manager\": \"kubectl-create\", \"fieldsV1\": {\"f:roleRef\": {}, \"f:subjects\": {}}, \"operation\": \"Update\", \"apiVersion\": \"rbac.authorization.k8s.io/v1\", \"fieldsType\": \"FieldsV1\"}], \"resourceVersion\": \"10616\", \"creationTimestamp\": \"2025-05-22T12:23:08Z\"}, \"subjects\": [{\"kind\": \"ServiceAccount\", \"name\": \"example\", \"namespace\": \"default\"}], \"apiVersion\": \"rbac.authorization.k8s.io/v1\"}, \"responseStatus\": {\"code\": 201, \"metadata\": {}}, \"stageTimestamp\": \"2025-05-22T12:23:08.704223Z\", \"requestReceivedTimestamp\": \"2025-05-22T12:23:08.702110Z\"}",
"event": {
"action": "create",
"code": "cc1dcb56-f0e4-4720-bad1-433ce652add7",
"outcome": "allow",
"start": "2025-05-22T12:23:08.702110Z"
},
"action": {
"outcome": "allow"
},
"http": {
"response": {
"status_code": 201
}
},
"kubernetes": {
"api": {
"group": "rbac.authorization.k8s.io"
},
"object": {
"name": "example-admin-binding"
},
"resource": "clusterrolebindings",
"role": {
"name": "cluster-admin"
}
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"minikube-user"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"url": {
"path": "/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?fieldManager=kubectl-create&fieldValidation=Strict"
},
"user": {
"name": "minikube-user",
"roles": [
"system:authenticated",
"system:masters"
]
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
"os": {
"name": "Linux"
}
}
}
{
"message": "{\"kind\": \"Event\", \"user\": {\"extra\": {\"authentication.kubernetes.io/credential-id\": [\"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\"]}, \"groups\": [\"system:masters\", \"system:authenticated\"], \"username\": \"minikube-user\"}, \"verb\": \"create\", \"level\": \"RequestResponse\", \"stage\": \"ResponseComplete\", \"auditID\": \"2028e1f9-4561-4668-9df4-bc0dcd3ae11b\", \"objectRef\": {\"name\": \"example-admin-binding\", \"apiGroup\": \"rbac.authorization.k8s.io\", \"resource\": \"clusterrolebindings\", \"apiVersion\": \"v1\"}, \"sourceIPs\": [\"1.2.3.4\"], \"userAgent\": \"kubectl/v1.32.5 (linux/amd64) kubernetes/9894294\", \"apiVersion\": \"audit.k8s.io/v1\", \"requestURI\": \"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?fieldManager=kubectl-create&fieldValidation=Strict\", \"annotations\": {\"authorization.k8s.io/reason\": \"\", \"authorization.k8s.io/decision\": \"allow\"}, \"requestObject\": {\"kind\": \"ClusterRoleBinding\", \"roleRef\": {\"kind\": \"ClusterRole\", \"name\": \"cluster-admin\", \"apiGroup\": \"rbac.authorization.k8s.io\"}, \"metadata\": {\"name\": \"example-admin-binding\", \"creationTimestamp\": null}, \"subjects\": [{\"kind\": \"ServiceAccount\", \"name\": \"example\", \"namespace\": \"default\"}], \"apiVersion\": \"rbac.authorization.k8s.io/v1\"}, \"responseObject\": {\"kind\": \"ClusterRoleBinding\", \"roleRef\": {\"kind\": \"ClusterRole\", \"name\": \"cluster-admin\", \"apiGroup\": \"rbac.authorization.k8s.io\"}, \"metadata\": {\"uid\": \"804440c7-256c-4187-84f3-1e644906db18\", \"name\": \"example-admin-binding\", \"managedFields\": [{\"time\": \"2025-05-22T12:23:08Z\", \"manager\": \"kubectl-create\", \"fieldsV1\": {\"f:roleRef\": {}, \"f:subjects\": {}}, \"operation\": \"Update\", \"apiVersion\": \"rbac.authorization.k8s.io/v1\", \"fieldsType\": \"FieldsV1\"}], \"resourceVersion\": \"10616\", \"creationTimestamp\": \"2025-05-22T12:23:08Z\"}, \"subjects\": [{\"kind\": \"ServiceAccount\", \"name\": \"example\", \"namespace\": \"default\"}], \"apiVersion\": \"rbac.authorization.k8s.io/v1\"}, \"responseStatus\": {\"code\": 201, \"metadata\": {}}, \"stageTimestamp\": \"2025-05-22T12:23:08.704223Z\", \"requestReceivedTimestamp\": \"2025-05-22T12:23:08.702110Z\"}",
"event": {
"action": "create",
"code": "2028e1f9-4561-4668-9df4-bc0dcd3ae11b",
"outcome": "allow",
"start": "2025-05-22T12:23:08.702110Z"
},
"action": {
"outcome": "allow"
},
"http": {
"response": {
"status_code": 201
}
},
"kubernetes": {
"api": {
"group": "rbac.authorization.k8s.io"
},
"object": {
"name": "example-admin-binding"
},
"resource": "clusterrolebindings",
"role": {
"name": "cluster-admin"
}
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"minikube-user"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"url": {
"path": "/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?fieldManager=kubectl-create&fieldValidation=Strict"
},
"user": {
"name": "minikube-user",
"roles": [
"system:authenticated",
"system:masters"
]
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
"os": {
"name": "Linux"
}
}
}
{
"message": "{\"kind\": \"Event\", \"user\": {\"extra\": {\"authentication.kubernetes.io/credential-id\": [\"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\"]}, \"groups\": [\"system:masters\", \"system:authenticated\"], \"username\": \"minikube-user\"}, \"verb\": \"create\", \"level\": \"RequestResponse\", \"stage\": \"ResponseComplete\", \"auditID\": \"8cb523a6-0be6-4198-8886-ed4fa57bd375\", \"objectRef\": {\"name\": \"priv-shell\", \"resource\": \"pods\", \"namespace\": \"default\", \"apiVersion\": \"v1\"}, \"sourceIPs\": [\"1.2.3.4\"], \"userAgent\": \"kubectl/v1.32.5 (linux/amd64) kubernetes/9894294\", \"apiVersion\": \"audit.k8s.io/v1\", \"requestURI\": \"/api/v1/namespaces/default/pods?fieldManager=kubectl-run\", \"annotations\": {\"authorization.k8s.io/reason\": \"\", \"authorization.k8s.io/decision\": \"allow\", \"pod-security.kubernetes.io/enforce-policy\": \"privileged:latest\"}, \"requestObject\": {\"kind\": \"Pod\", \"spec\": {\"dnsPolicy\": \"ClusterFirst\", \"containers\": [{\"name\": \"shell\", \"image\": \"ubuntu:24.04\", \"command\": [\"bash\", \"-c\", \"sleep infinity\"], \"resources\": {}, \"imagePullPolicy\": \"IfNotPresent\", \"securityContext\": {\"privileged\": true}, \"terminationMessagePath\": \"/dev/termination-log\", \"terminationMessagePolicy\": \"File\"}], \"restartPolicy\": \"Never\", \"schedulerName\": \"default-scheduler\", \"securityContext\": {}, \"enableServiceLinks\": true, \"terminationGracePeriodSeconds\": 30}, \"status\": {}, \"metadata\": {\"name\": \"priv-shell\", \"labels\": {\"run\": \"priv-shell\"}, \"creationTimestamp\": null}, \"apiVersion\": \"v1\"}, \"responseObject\": {\"kind\": \"Pod\", \"spec\": {\"volumes\": [{\"name\": \"kube-api-access-cmszt\", \"projected\": {\"sources\": [{\"serviceAccountToken\": {\"path\": \"token\", \"expirationSeconds\": 3607}}, {\"configMap\": {\"name\": \"kube-root-ca.crt\", \"items\": [{\"key\": \"ca.crt\", \"path\": \"ca.crt\"}]}}, {\"downwardAPI\": {\"items\": [{\"path\": \"namespace\", \"fieldRef\": {\"fieldPath\": \"metadata.namespace\", \"apiVersion\": \"v1\"}}]}}], \"defaultMode\": 420}}], \"priority\": 0, \"dnsPolicy\": \"ClusterFirst\", \"containers\": [{\"name\": \"shell\", \"image\": \"ubuntu:24.04\", \"command\": [\"bash\", \"-c\", \"sleep infinity\"], \"resources\": {}, \"volumeMounts\": [{\"name\": \"kube-api-access-cmszt\", \"readOnly\": true, \"mountPath\": \"/var/run/secrets/kubernetes.io/serviceaccount\"}], \"imagePullPolicy\": \"IfNotPresent\", \"securityContext\": {\"privileged\": true}, \"terminationMessagePath\": \"/dev/termination-log\", \"terminationMessagePolicy\": \"File\"}], \"tolerations\": [{\"key\": \"node.kubernetes.io/not-ready\", \"effect\": \"NoExecute\", \"operator\": \"Exists\", \"tolerationSeconds\": 300}, {\"key\": \"node.kubernetes.io/unreachable\", \"effect\": \"NoExecute\", \"operator\": \"Exists\", \"tolerationSeconds\": 300}], \"restartPolicy\": \"Never\", \"schedulerName\": \"default-scheduler\", \"serviceAccount\": \"default\", \"securityContext\": {}, \"preemptionPolicy\": \"PreemptLowerPriority\", \"enableServiceLinks\": true, \"serviceAccountName\": \"default\", \"terminationGracePeriodSeconds\": 30}, \"status\": {\"phase\": \"Pending\", \"qosClass\": \"BestEffort\"}, \"metadata\": {\"uid\": \"b213474e-679f-43e4-8e26-6bfde524ba34\", \"name\": \"priv-shell\", \"labels\": {\"run\": \"priv-shell\"}, \"namespace\": \"default\", \"managedFields\": [{\"time\": \"2025-05-22T13:14:38Z\", \"manager\": \"kubectl-run\", \"fieldsV1\": {\"f:spec\": {\"f:dnsPolicy\": {}, \"f:containers\": {\"k:{\\\"name\\\":\\\"shell\\\"}\": {\".\": {}, \"f:name\": {}, \"f:image\": {}, \"f:command\": {}, \"f:resources\": {}, \"f:imagePullPolicy\": {}, \"f:securityContext\": {\".\": {}, \"f:privileged\": {}}, \"f:terminationMessagePath\": {}, \"f:terminationMessagePolicy\": {}}}, \"f:restartPolicy\": {}, \"f:schedulerName\": {}, \"f:securityContext\": {}, \"f:enableServiceLinks\": {}, \"f:terminationGracePeriodSeconds\": {}}, \"f:metadata\": {\"f:labels\": {\".\": {}, \"f:run\": {}}}}, \"operation\": \"Update\", \"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\"}], \"resourceVersion\": \"12992\", \"creationTimestamp\": \"2025-05-22T13:14:38Z\"}, \"apiVersion\": \"v1\"}, \"responseStatus\": {\"code\": 201, \"metadata\": {}}, \"stageTimestamp\": \"2025-05-22T13:14:38.223786Z\", \"requestReceivedTimestamp\": \"2025-05-22T13:14:38.218223Z\"}",
"event": {
"action": "create",
"code": "8cb523a6-0be6-4198-8886-ed4fa57bd375",
"outcome": "allow",
"start": "2025-05-22T13:14:38.218223Z"
},
"action": {
"outcome": "allow"
},
"http": {
"response": {
"status_code": 201
}
},
"kubernetes": {
"namespace": "default",
"object": {
"name": "priv-shell"
},
"resource": "pods",
"spec": {
"containers": [
{
"command": [
"bash",
"-c",
"sleep infinity"
],
"image": "ubuntu:24.04",
"imagePullPolicy": "IfNotPresent",
"name": "shell",
"securityContext": {
"privileged": true
},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File"
}
]
}
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"minikube-user"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"url": {
"path": "/api/v1/namespaces/default/pods?fieldManager=kubectl-run"
},
"user": {
"name": "minikube-user",
"roles": [
"system:authenticated",
"system:masters"
]
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
"os": {
"name": "Linux"
}
}
}
{
"message": "{\"kind\": \"Event\", \"user\": {\"extra\": {\"authentication.kubernetes.io/credential-id\": [\"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\"]}, \"groups\": [\"system:masters\", \"system:authenticated\"], \"username\": \"minikube-user\"}, \"verb\": \"create\", \"level\": \"RequestResponse\", \"stage\": \"ResponseComplete\", \"auditID\": \"762eda6e-4122-4997-9a87-ada5442d43d5\", \"objectRef\": {\"name\": \"pod-hostnetwork\", \"resource\": \"pods\", \"namespace\": \"default\", \"apiVersion\": \"v1\"}, \"sourceIPs\": [\"1.2.3.4\"], \"userAgent\": \"kubectl/v1.32.5 (linux/amd64) kubernetes/9894294\", \"apiVersion\": \"audit.k8s.io/v1\", \"requestURI\": \"/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict\", \"annotations\": {\"authorization.k8s.io/reason\": \"\", \"authorization.k8s.io/decision\": \"allow\", \"pod-security.kubernetes.io/enforce-policy\": \"privileged:latest\"}, \"requestObject\": {\"kind\": \"Pod\", \"spec\": {\"dnsPolicy\": \"ClusterFirst\", \"containers\": [{\"name\": \"nginx\", \"image\": \"nginx\", \"ports\": [{\"hostPort\": 80, \"protocol\": \"TCP\", \"containerPort\": 80}], \"resources\": {}, \"imagePullPolicy\": \"Always\", \"terminationMessagePath\": \"/dev/termination-log\", \"terminationMessagePolicy\": \"File\"}], \"hostNetwork\": true, \"restartPolicy\": \"Always\", \"schedulerName\": \"default-scheduler\", \"securityContext\": {}, \"enableServiceLinks\": true, \"terminationGracePeriodSeconds\": 30}, \"status\": {}, \"metadata\": {\"name\": \"pod-hostnetwork\", \"namespace\": \"default\", \"annotations\": {\"kubectl.kubernetes.io/last-applied-configuration\": \"{\\\"apiVersion\\\":\\\"v1\\\",\\\"kind\\\":\\\"Pod\\\",\\\"metadata\\\":{\\\"annotations\\\":{},\\\"name\\\":\\\"pod-hostnetwork\\\",\\\"namespace\\\":\\\"default\\\"},\\\"spec\\\":{\\\"containers\\\":[{\\\"image\\\":\\\"nginx\\\",\\\"name\\\":\\\"nginx\\\",\\\"ports\\\":[{\\\"containerPort\\\":80}]}],\\\"hostNetwork\\\":true}}\\n\"}, \"creationTimestamp\": null}, \"apiVersion\": \"v1\"}, \"responseObject\": {\"kind\": \"Pod\", \"spec\": {\"volumes\": [{\"name\": \"kube-api-access-gt55x\", \"projected\": {\"sources\": [{\"serviceAccountToken\": {\"path\": \"token\", \"expirationSeconds\": 3607}}, {\"configMap\": {\"name\": \"kube-root-ca.crt\", \"items\": [{\"key\": \"ca.crt\", \"path\": \"ca.crt\"}]}}, {\"downwardAPI\": {\"items\": [{\"path\": \"namespace\", \"fieldRef\": {\"fieldPath\": \"metadata.namespace\", \"apiVersion\": \"v1\"}}]}}], \"defaultMode\": 420}}], \"priority\": 0, \"dnsPolicy\": \"ClusterFirst\", \"containers\": [{\"name\": \"nginx\", \"image\": \"nginx\", \"ports\": [{\"hostPort\": 80, \"protocol\": \"TCP\", \"containerPort\": 80}], \"resources\": {}, \"volumeMounts\": [{\"name\": \"kube-api-access-gt55x\", \"readOnly\": true, \"mountPath\": \"/var/run/secrets/kubernetes.io/serviceaccount\"}], \"imagePullPolicy\": \"Always\", \"terminationMessagePath\": \"/dev/termination-log\", \"terminationMessagePolicy\": \"File\"}], \"hostNetwork\": true, \"tolerations\": [{\"key\": \"node.kubernetes.io/not-ready\", \"effect\": \"NoExecute\", \"operator\": \"Exists\", \"tolerationSeconds\": 300}, {\"key\": \"node.kubernetes.io/unreachable\", \"effect\": \"NoExecute\", \"operator\": \"Exists\", \"tolerationSeconds\": 300}], \"restartPolicy\": \"Always\", \"schedulerName\": \"default-scheduler\", \"serviceAccount\": \"default\", \"securityContext\": {}, \"preemptionPolicy\": \"PreemptLowerPriority\", \"enableServiceLinks\": true, \"serviceAccountName\": \"default\", \"terminationGracePeriodSeconds\": 30}, \"status\": {\"phase\": \"Pending\", \"qosClass\": \"BestEffort\"}, \"metadata\": {\"uid\": \"e8303c60-6322-4241-a0ce-7ad41ffb167b\", \"name\": \"pod-hostnetwork\", \"namespace\": \"default\", \"annotations\": {\"kubectl.kubernetes.io/last-applied-configuration\": \"{\\\"apiVersion\\\":\\\"v1\\\",\\\"kind\\\":\\\"Pod\\\",\\\"metadata\\\":{\\\"annotations\\\":{},\\\"name\\\":\\\"pod-hostnetwork\\\",\\\"namespace\\\":\\\"default\\\"},\\\"spec\\\":{\\\"containers\\\":[{\\\"image\\\":\\\"nginx\\\",\\\"name\\\":\\\"nginx\\\",\\\"ports\\\":[{\\\"containerPort\\\":80}]}],\\\"hostNetwork\\\":true}}\\n\"}, \"managedFields\": [{\"time\": \"2025-05-22T13:06:12Z\", \"manager\": \"kubectl-client-side-apply\", \"fieldsV1\": {\"f:spec\": {\"f:dnsPolicy\": {}, \"f:containers\": {\"k:{\\\"name\\\":\\\"nginx\\\"}\": {\".\": {}, \"f:name\": {}, \"f:image\": {}, \"f:ports\": {\".\": {}, \"k:{\\\"containerPort\\\":80,\\\"protocol\\\":\\\"TCP\\\"}\": {\".\": {}, \"f:hostPort\": {}, \"f:protocol\": {}, \"f:containerPort\": {}}}, \"f:resources\": {}, \"f:imagePullPolicy\": {}, \"f:terminationMessagePath\": {}, \"f:terminationMessagePolicy\": {}}}, \"f:hostNetwork\": {}, \"f:restartPolicy\": {}, \"f:schedulerName\": {}, \"f:securityContext\": {}, \"f:enableServiceLinks\": {}, \"f:terminationGracePeriodSeconds\": {}}, \"f:metadata\": {\"f:annotations\": {\".\": {}, \"f:kubectl.kubernetes.io/last-applied-configuration\": {}}}}, \"operation\": \"Update\", \"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\"}], \"resourceVersion\": \"12581\", \"creationTimestamp\": \"2025-05-22T13:06:12Z\"}, \"apiVersion\": \"v1\"}, \"responseStatus\": {\"code\": 201, \"metadata\": {}}, \"stageTimestamp\": \"2025-05-22T13:06:12.975266Z\", \"requestReceivedTimestamp\": \"2025-05-22T13:06:12.952499Z\"}",
"event": {
"action": "create",
"code": "762eda6e-4122-4997-9a87-ada5442d43d5",
"outcome": "allow",
"start": "2025-05-22T13:06:12.952499Z"
},
"action": {
"outcome": "allow"
},
"http": {
"response": {
"status_code": 201
}
},
"kubernetes": {
"namespace": "default",
"object": {
"name": "pod-hostnetwork"
},
"resource": "pods",
"spec": {
"containers": [
{
"image": "nginx",
"imagePullPolicy": "Always",
"name": "nginx",
"ports": [
{
"containerPort": 80,
"hostPort": 80,
"protocol": "TCP"
}
],
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File"
}
],
"host_network": true
}
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"minikube-user"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"url": {
"path": "/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
},
"user": {
"name": "minikube-user",
"roles": [
"system:authenticated",
"system:masters"
]
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
"os": {
"name": "Linux"
}
}
}
{
"message": "{\"kind\": \"Event\", \"user\": {\"extra\": {\"authentication.kubernetes.io/credential-id\": [\"X509SHA256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\"]}, \"groups\": [\"system:masters\", \"system:authenticated\"], \"username\": \"minikube-user\"}, \"verb\": \"create\", \"level\": \"RequestResponse\", \"stage\": \"ResponseComplete\", \"auditID\": \"29480e0b-5b7a-43b0-8618-d5122aff5817\", \"objectRef\": {\"name\": \"pod-hostpath\", \"resource\": \"pods\", \"namespace\": \"default\", \"apiVersion\": \"v1\"}, \"sourceIPs\": [\"1.2.3.4\"], \"userAgent\": \"kubectl/v1.32.5 (linux/amd64) kubernetes/9894294\", \"apiVersion\": \"audit.k8s.io/v1\", \"requestURI\": \"/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict\", \"annotations\": {\"authorization.k8s.io/reason\": \"\", \"authorization.k8s.io/decision\": \"allow\", \"pod-security.kubernetes.io/enforce-policy\": \"privileged:latest\"}, \"requestObject\": {\"kind\": \"Pod\", \"spec\": {\"volumes\": [{\"name\": \"host-volume\", \"hostPath\": {\"path\": \"/tmp/testdir\", \"type\": \"DirectoryOrCreate\"}}], \"dnsPolicy\": \"ClusterFirst\", \"containers\": [{\"name\": \"test-container\", \"image\": \"ubuntu:24.04\", \"command\": [\"bash\", \"-c\", \"sleep infinity\"], \"resources\": {}, \"volumeMounts\": [{\"name\": \"host-volume\", \"mountPath\": \"/mnt/host\"}], \"imagePullPolicy\": \"IfNotPresent\", \"terminationMessagePath\": \"/dev/termination-log\", \"terminationMessagePolicy\": \"File\"}], \"restartPolicy\": \"Always\", \"schedulerName\": \"default-scheduler\", \"securityContext\": {}, \"enableServiceLinks\": true, \"terminationGracePeriodSeconds\": 30}, \"status\": {}, \"metadata\": {\"name\": \"pod-hostpath\", \"namespace\": \"default\", \"annotations\": {\"kubectl.kubernetes.io/last-applied-configuration\": \"{\\\"apiVersion\\\":\\\"v1\\\",\\\"kind\\\":\\\"Pod\\\",\\\"metadata\\\":{\\\"annotations\\\":{},\\\"name\\\":\\\"pod-hostpath\\\",\\\"namespace\\\":\\\"default\\\"},\\\"spec\\\":{\\\"containers\\\":[{\\\"command\\\":[\\\"bash\\\",\\\"-c\\\",\\\"sleep infinity\\\"],\\\"image\\\":\\\"ubuntu:24.04\\\",\\\"name\\\":\\\"test-container\\\",\\\"volumeMounts\\\":[{\\\"mountPath\\\":\\\"/mnt/host\\\",\\\"name\\\":\\\"host-volume\\\"}]}],\\\"volumes\\\":[{\\\"hostPath\\\":{\\\"path\\\":\\\"/tmp/testdir\\\",\\\"type\\\":\\\"DirectoryOrCreate\\\"},\\\"name\\\":\\\"host-volume\\\"}]}}\\n\"}, \"creationTimestamp\": null}, \"apiVersion\": \"v1\"}, \"responseObject\": {\"kind\": \"Pod\", \"spec\": {\"volumes\": [{\"name\": \"host-volume\", \"hostPath\": {\"path\": \"/tmp/testdir\", \"type\": \"DirectoryOrCreate\"}}, {\"name\": \"kube-api-access-5xkx2\", \"projected\": {\"sources\": [{\"serviceAccountToken\": {\"path\": \"token\", \"expirationSeconds\": 3607}}, {\"configMap\": {\"name\": \"kube-root-ca.crt\", \"items\": [{\"key\": \"ca.crt\", \"path\": \"ca.crt\"}]}}, {\"downwardAPI\": {\"items\": [{\"path\": \"namespace\", \"fieldRef\": {\"fieldPath\": \"metadata.namespace\", \"apiVersion\": \"v1\"}}]}}], \"defaultMode\": 420}}], \"priority\": 0, \"dnsPolicy\": \"ClusterFirst\", \"containers\": [{\"name\": \"test-container\", \"image\": \"ubuntu:24.04\", \"command\": [\"bash\", \"-c\", \"sleep infinity\"], \"resources\": {}, \"volumeMounts\": [{\"name\": \"host-volume\", \"mountPath\": \"/mnt/host\"}, {\"name\": \"kube-api-access-5xkx2\", \"readOnly\": true, \"mountPath\": \"/var/run/secrets/kubernetes.io/serviceaccount\"}], \"imagePullPolicy\": \"IfNotPresent\", \"terminationMessagePath\": \"/dev/termination-log\", \"terminationMessagePolicy\": \"File\"}], \"tolerations\": [{\"key\": \"node.kubernetes.io/not-ready\", \"effect\": \"NoExecute\", \"operator\": \"Exists\", \"tolerationSeconds\": 300}, {\"key\": \"node.kubernetes.io/unreachable\", \"effect\": \"NoExecute\", \"operator\": \"Exists\", \"tolerationSeconds\": 300}], \"restartPolicy\": \"Always\", \"schedulerName\": \"default-scheduler\", \"serviceAccount\": \"default\", \"securityContext\": {}, \"preemptionPolicy\": \"PreemptLowerPriority\", \"enableServiceLinks\": true, \"serviceAccountName\": \"default\", \"terminationGracePeriodSeconds\": 30}, \"status\": {\"phase\": \"Pending\", \"qosClass\": \"BestEffort\"}, \"metadata\": {\"uid\": \"31182568-10d0-4f5d-815c-40145be2c09a\", \"name\": \"pod-hostpath\", \"namespace\": \"default\", \"annotations\": {\"kubectl.kubernetes.io/last-applied-configuration\": \"{\\\"apiVersion\\\":\\\"v1\\\",\\\"kind\\\":\\\"Pod\\\",\\\"metadata\\\":{\\\"annotations\\\":{},\\\"name\\\":\\\"pod-hostpath\\\",\\\"namespace\\\":\\\"default\\\"},\\\"spec\\\":{\\\"containers\\\":[{\\\"command\\\":[\\\"bash\\\",\\\"-c\\\",\\\"sleep infinity\\\"],\\\"image\\\":\\\"ubuntu:24.04\\\",\\\"name\\\":\\\"test-container\\\",\\\"volumeMounts\\\":[{\\\"mountPath\\\":\\\"/mnt/host\\\",\\\"name\\\":\\\"host-volume\\\"}]}],\\\"volumes\\\":[{\\\"hostPath\\\":{\\\"path\\\":\\\"/tmp/testdir\\\",\\\"type\\\":\\\"DirectoryOrCreate\\\"},\\\"name\\\":\\\"host-volume\\\"}]}}\\n\"}, \"managedFields\": [{\"time\": \"2025-05-22T13:23:44Z\", \"manager\": \"kubectl-client-side-apply\", \"fieldsV1\": {\"f:spec\": {\"f:volumes\": {\".\": {}, \"k:{\\\"name\\\":\\\"host-volume\\\"}\": {\".\": {}, \"f:name\": {}, \"f:hostPath\": {\".\": {}, \"f:path\": {}, \"f:type\": {}}}}, \"f:dnsPolicy\": {}, \"f:containers\": {\"k:{\\\"name\\\":\\\"test-container\\\"}\": {\".\": {}, \"f:name\": {}, \"f:image\": {}, \"f:command\": {}, \"f:resources\": {}, \"f:volumeMounts\": {\".\": {}, \"k:{\\\"mountPath\\\":\\\"/mnt/host\\\"}\": {\".\": {}, \"f:name\": {}, \"f:mountPath\": {}}}, \"f:imagePullPolicy\": {}, \"f:terminationMessagePath\": {}, \"f:terminationMessagePolicy\": {}}}, \"f:restartPolicy\": {}, \"f:schedulerName\": {}, \"f:securityContext\": {}, \"f:enableServiceLinks\": {}, \"f:terminationGracePeriodSeconds\": {}}, \"f:metadata\": {\"f:annotations\": {\".\": {}, \"f:kubectl.kubernetes.io/last-applied-configuration\": {}}}}, \"operation\": \"Update\", \"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\"}], \"resourceVersion\": \"13438\", \"creationTimestamp\": \"2025-05-22T13:23:44Z\"}, \"apiVersion\": \"v1\"}, \"responseStatus\": {\"code\": 201, \"metadata\": {}}, \"stageTimestamp\": \"2025-05-22T13:23:44.890020Z\", \"requestReceivedTimestamp\": \"2025-05-22T13:23:44.884869Z\"}",
"event": {
"action": "create",
"code": "29480e0b-5b7a-43b0-8618-d5122aff5817",
"outcome": "allow",
"start": "2025-05-22T13:23:44.884869Z"
},
"action": {
"outcome": "allow"
},
"http": {
"response": {
"status_code": 201
}
},
"kubernetes": {
"namespace": "default",
"object": {
"name": "pod-hostpath"
},
"resource": "pods",
"spec": {
"containers": [
{
"command": [
"bash",
"-c",
"sleep infinity"
],
"image": "ubuntu:24.04",
"imagePullPolicy": "IfNotPresent",
"name": "test-container",
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"volumeMounts": [
{
"mountPath": "/mnt/host",
"name": "host-volume"
}
]
}
],
"volumes": [
{
"hostPath": {
"path": "/tmp/testdir",
"type": "DirectoryOrCreate"
},
"name": "host-volume"
}
]
}
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"minikube-user"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"url": {
"path": "/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
},
"user": {
"name": "minikube-user",
"roles": [
"system:authenticated",
"system:masters"
]
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "kubectl/v1.32.5 (linux/amd64) kubernetes/9894294",
"os": {
"name": "Linux"
}
}
}
{
"message": "{\"level\": \"RequestResponse\",\"auditID\": \"91afc40c-f1ef-4956-b85a-7e12d09511e9\",\"stage\": \"ResponseComplete\",\"requestURI\":\"/api/v1/namespaces/test/pods/test-1669140000-zp58r/exec?command=sh&container=test&stdin=true&stdout=true&tty=true\",\"verb\": \"create\",\"user\": {\"username\": \"user@mail.com\",\"groups\": [\"system:authenticated\"]},\"sourceIPs\": [\"192.168.0.1\"],\"userAgent\": \"kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f\",\"objectRef\": {\"resource\": \"pods\",\"namespace\": \"test\",\"name\": \"test-1669140000-zp58r\",\"apiVersion\": \"v1\",\"subresource\": \"exec\"},\"responseStatus\": {\"metadata\": {},\"code\": 101},\"requestReceivedTimestamp\": \"2022-11-23T14:36:45.243457Z\",\"stageTimestamp\": \"2022-11-23T14:36:53.531481Z\",\"annotations\": {\"authorization.k8s.io/decision\": \"allow\",\"authorization.k8s.io/reason\": \"RBAC: allowed by ClusterRoleBinding test-role-binding of ClusterRole test-admin to Group system:authenticated\"}}",
"event": {
"action": "create",
"code": "91afc40c-f1ef-4956-b85a-7e12d09511e9",
"outcome": "allow",
"start": "2022-11-23T14:36:45.243457Z"
},
"action": {
"outcome": "allow"
},
"http": {
"response": {
"status_code": 101
}
},
"kubernetes": {
"namespace": "test",
"object": {
"name": "test-1669140000-zp58r"
},
"rbacreason": "RBAC: allowed by ClusterRoleBinding test-role-binding of ClusterRole test-admin to Group system:authenticated",
"resource": "pods",
"subresource": "exec"
},
"related": {
"ip": [
"192.168.0.1"
],
"user": [
"user@mail.com"
]
},
"source": {
"address": "192.168.0.1",
"ip": "192.168.0.1"
},
"url": {
"path": "/api/v1/namespaces/test/pods/test-1669140000-zp58r/exec?command=sh&container=test&stdin=true&stdout=true&tty=true"
},
"user": {
"name": "user@mail.com",
"roles": [
"system:authenticated"
]
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f",
"os": {
"name": "Linux"
}
}
}
{
"message": "{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"Request\",\"auditID\":\"bdeb089c-5d70-4776-b6af-88e739fb0dd5\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/api/v1/namespaces/support/pods?limit=500\",\"verb\":\"list\",\"user\":{\"username\":\"system:serviceaccount:pinniped-concierge:pinniped-concierge-impersonation-proxy\",\"uid\":\"6258bd11-9713-442b-bbed-2587a76975d9\",\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:pinniped-concierge\",\"system:authenticated\"],\"extra\":{\"authentication.kubernetes.io/credential-id\":[\"JTI=581d10f3-b521-480f-aa42-bcd6a70df8ea\"]}},\"impersonatedUser\":{\"username\":\"john.doe@example.org\",\"groups\":[\"admin\",\"system:authenticated\"]},\"sourceIPs\":[\"1.1.1.1\",\"2.2.2.2\"],\"userAgent\":\"kubectl/v1.29.2 (linux/amd64) kubernetes/4b8e819\",\"objectRef\":{\"resource\":\"pods\",\"namespace\":\"support\",\"apiVersion\":\"v1\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestReceivedTimestamp\":\"2025-01-23T14:56:02.374424Z\",\"stageTimestamp\":\"2025-01-23T14:56:02.400865Z\",\"annotations\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"pinniped-admin-role-binding\\\" of ClusterRole \\\"cluster-admin\\\" to Group \\\"admin\\\"\"}}\n",
"event": {
"action": "list",
"code": "bdeb089c-5d70-4776-b6af-88e739fb0dd5",
"outcome": "allow",
"start": "2025-01-23T14:56:02.374424Z"
},
"action": {
"outcome": "allow"
},
"http": {
"response": {
"status_code": 200
}
},
"kubernetes": {
"namespace": "support",
"rbacreason": "RBAC: allowed by ClusterRoleBinding \"pinniped-admin-role-binding\" of ClusterRole \"cluster-admin\" to Group \"admin\"",
"resource": "pods"
},
"related": {
"ip": [
"1.1.1.1"
],
"user": [
"john.doe@example.org"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
},
"url": {
"path": "/api/v1/namespaces/support/pods?limit=500"
},
"user": {
"id": "6258bd11-9713-442b-bbed-2587a76975d9",
"name": "john.doe@example.org",
"roles": [
"admin",
"system:authenticated"
]
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "kubectl/v1.29.2 (linux/amd64) kubernetes/4b8e819",
"os": {
"name": "Linux"
}
}
}
{
"message": "{\"level\":\"RequestResponse\",\"auditID\":\"bbd6d83f-4b6d-4a3d-b3cd-840a0691c19f\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/apis/apps/v1/namespaces/test/deployments/test/scale\",\"verb\":\"patch\",\"user\":{\"username\":\"user@mail.com\",\"groups\":[\"system:authenticated\"]},\"sourceIPs\":[\"192.168.0.1\"],\"userAgent\":\"kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19\",\"objectRef\":{\"resource\":\"deployments\",\"namespace\":\"test\",\"apiGroup\":\"apps\",\"apiVersion\":\"v1\",\"subresource\":\"scale\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestObject\":{\"spec\":{\"replicas\":3}},\"responseObject\":{\"kind\":\"Scale\",\"apiVersion\":\"autoscaling/v1\",\"metadata\":{\"name\":\"test\",\"namespace\":\"test\",\"selfLink\":\"/apis/apps/v1/namespaces/test/deployments/test/scale\",\"uid\":\"7e649fbd-ca1b-4e30-b763-1b52527c774b\",\"resourceVersion\":\"1368503426\",\"creationTimestamp\":\"2020-01-24T17:04:30Z\"},\"spec\":{\"replicas\":3},\"status\":{\"replicas\":2,\"selector\":\"test=test\"}},\"requestReceivedTimestamp\":\"2022-11-23T13:10:04.499444Z\",\"stageTimestamp\":\"2022-11-23T13:10:04.514995Z\",\"annotations\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"test-role-binding\\\" of ClusterRole \\\"test-admin\\\" to Group \\\"system:authenticated\\\"\"}}",
"event": {
"action": "patch",
"code": "bbd6d83f-4b6d-4a3d-b3cd-840a0691c19f",
"outcome": "allow",
"start": "2022-11-23T13:10:04.499444Z"
},
"action": {
"outcome": "allow"
},
"http": {
"response": {
"status_code": 200
}
},
"kubernetes": {
"api": {
"group": "apps"
},
"namespace": "test",
"object": {
"name": "test"
},
"rbacreason": "RBAC: allowed by ClusterRoleBinding \"test-role-binding\" of ClusterRole \"test-admin\" to Group \"system:authenticated\"",
"resource": "deployments",
"subresource": "scale"
},
"related": {
"ip": [
"192.168.0.1"
],
"user": [
"user@mail.com"
]
},
"source": {
"address": "192.168.0.1",
"ip": "192.168.0.1"
},
"url": {
"path": "/apis/apps/v1/namespaces/test/deployments/test/scale"
},
"user": {
"name": "user@mail.com",
"roles": [
"system:authenticated"
]
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19",
"os": {
"name": "Linux"
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
event.action |
keyword |
The action captured by the event. |
event.code |
keyword |
Identification code for this event. |
event.start |
date |
event.start contains the date when the event started or when the activity was first observed. |
http.response.status_code |
long |
HTTP response status code. |
kubernetes.api.group |
keyword |
|
kubernetes.namespace |
keyword |
kubernetes.namespace |
kubernetes.object.name |
keyword |
kubernetes.object.name |
kubernetes.rbacreason |
keyword |
kubernetes.rbacreason |
kubernetes.resource |
keyword |
kubernetes.resource |
kubernetes.role.name |
keyword |
|
kubernetes.spec.host_network |
boolean |
|
kubernetes.subresource |
keyword |
kubernetes.subresource |
source.ip |
ip |
IP address of the source. |
url.path |
wildcard |
Path of the request, such as "/search". |
user.id |
keyword |
Unique identifier of the user. |
user.name |
keyword |
Short name or login of the user. |
user.roles |
keyword |
Array of user roles at the time of the event. |
user_agent.original |
keyword |
Unparsed user_agent string. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.
Support
If you need assistance with this integration, please contact our support team at support.sekoia.io.