Data Source: Kubernetes Audit

Date: 2025-01-23

ID: 6c25181a-0c07-4aaf-90e6-77ab1f0e6699

Author: Patrick Bareiss, Splunk

Description

Logs activities within a Kubernetes cluster, including API server requests, resource access, configuration changes, and user authentication events.

Details

Property	Value
Source	`kubernetes`
Sourcetype	`_json`

Event Fields

+ Fields


            1
            _time
          
            3
            annotations.authorization.k8s.io/decision
          
            5
            annotations.authorization.k8s.io/reason
          
            7
            apiVersion
          
            9
            auditID
          
            11
            eventtype
          
            13
            host
          
            15
            index
          
            17
            kind
          
            19
            level
          
            21
            linecount
          
            23
            objectRef.apiGroup
          
            25
            objectRef.apiVersion
          
            27
            objectRef.namespace
          
            29
            objectRef.resource
          
            31
            punct
          
            33
            requestReceivedTimestamp
          
            35
            requestURI
          
            37
            responseObject.apiVersion
          
            39
            responseObject.code
          
            41
            responseObject.details.group
          
            43
            responseObject.details.kind
          
            45
            responseObject.kind
          
            47
            responseObject.message
          
            49
            responseObject.reason
          
            51
            responseObject.status
          
            53
            responseStatus.code
          
            55
            responseStatus.details.group
          
            57
            responseStatus.details.kind
          
            59
            responseStatus.message
          
            61
            responseStatus.reason
          
            63
            responseStatus.status
          
            65
            source
          
            67
            sourceIPs{}
          
            69
            sourcetype
          
            71
            splunk_server
          
            73
            stage
          
            75
            stageTimestamp
          
            77
            tag
          
            79
            tag::eventtype
          
            81
            timestamp
          
            83
            user.groups{}
          
            85
            user.uid
          
            87
            user.username
          
            89
            userAgent
          
            91
            verb
          
            93

...

not set

Example Log

1{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"582c31ab-4906-49bb-9ff9-872f980ccb84","stage":"ResponseComplete","requestURI":"/apis/batch/v1/namespaces/test2/jobs?fieldManager=kubectl-create\u0026fieldValidation=Strict","verb":"create","user":{"username":"k8s-test-user","uid":"aws-iam-authenticator:111111111111:AROAYTXXXXXXHNXXXXX","groups":["system:authenticated"]},"sourceIPs":["176.95.188.101"],"userAgent":"kubectl/v1.27.2 (darwin/arm64) kubernetes/7f6f68f","objectRef":{"resource":"jobs","namespace":"test2","apiGroup":"batch","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Failure","message":"jobs.batch is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"responseObject":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"jobs.batch is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"requestReceivedTimestamp":"2023-12-07T14:44:53.358394Z","stageTimestamp":"2023-12-07T14:44:53.375985Z","annotations":{"authorization.k8s.io/decision":"forbid","authorization.k8s.io/reason":""}}

Source: GitHub | Version: 2