Audit-logs compatibility between k8s default logs and our audit-logs schema.

[chintansakhiya]

default k8s audit logs

{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"auditID": "02d3a5ac-3322-4a8e-b608-e492302244d1",
"stage": "ResponseComplete",
"requestURI": "/p-3/api/v1/namespaces/karpor/pods/karpor-syncer-587dbc5f94-n6qzm",
"verb": "delete",
"user": {
        "username": "chintansakhiya@gmail.com",
        "uid": "f4e597b8-98b2-4d59-8aee-53811b4db1b8",
        "groups": [
                "p-3:devops:karpor",
                "p-3:developer:uptime-kuma"
        ],
        "extra": {
                "authentication.kubernetes.io/credential-id": [
                        "JTI=b91ccabd-46c5-49f3-bc21-5554dd8d9fe4"
                ]
        }
},
"sourceIPs": [
        "127.0.0.1"
],
"userAgent": "k9s/v0.0.0 (linux/amd64) kubernetes/$Format",
"responseStatus": {
        "metadata": {},
        "code": 200
},
"requestReceivedTimestamp": "2025-01-15T13:07:53.378867Z",
"stageTimestamp": "2025-01-15T13:07:53.388951Z"
}

kube-oidc-proxy audit logs formet

{
    "id": 1,
    "cluster_name": "p-3",
    "email": "chintansakhiya@gmail.com",
    "uid": "f4e597b8-98b2-4d59-8aee-53811b4db1b8",
    "groups": [
        "p-3:devops:karpor",
        "p-3:developer:uptime-kuma"
    ],
    "extra": {
        "authentication.kubernetes.io/credential-id": [
            "JTI=0b4607f7-024e-42ba-a217-b7e120980cc9"
        ]
    },
    "is_resource_request": true,
    "request_path": "/api/v1/namespaces/uptime-kuma/pods",
    "verb": "list",
    "api_prefix": "api",
    "api_group": "",
    "api_version": "v1",
    "namespace": "uptime-kuma",
    "resource": "pods",
    "sub_resource": "",
    "name": "",
    "parts": [
        "pods"
    ],
    "field_selector": "",
    "label_selector": "",
    "request_body": {},
    "created_at": "2025-01-09 10:20:28.317979"
}

Similarities

1. User Information:

   • Kubernetes default logs use objects to store user details when the proxy stores those details in separate fields.
   • Kubernetes default logs (user object) and kube-oidc-proxy logs (email, uid, and groups) both provide user-related details, including:
     • Email/User ID (username/email)
     • UID (uid)
     • Groups (groups)
     • Extra attributes (extra)

2. Request Metadata:

   • Request URI/Path:
     • Kubernetes logs: requestURI
     • kube-oidc-proxy: request_path
   • Verb (Action):
     • Kubernetes logs: verb
     • kube-oidc-proxy: verb
   • Both formats capture whether the request is for a specific resource (is_resource_request in kube-oidc-proxy).

3. Namespace & Resource:

   • Kubernetes includes this indirectly in requestURI.
   • kube-oidc-proxy explicitly separates these (namespace, resource, and sub_resource).

4. Timestamps:

   • Kubernetes: requestReceivedTimestamp, stageTimestamp.
   • kube-oidc-proxy: No explicit timestamps, but they could be inferred from the log output system.

Differences

1. Log Format Granularity:

   • Kubernetes logs are general and encapsulate the entire request and response lifecycle, including stage and responseStatus.
   • kube-oidc-proxy logs are more granular, focusing on API request parsing, such as api_prefix, api_group, api_version, and selectors (field_selector, label_selector).

2. User Agent:

   • Kubernetes: Captured as userAgent.
   • kube-oidc-proxy: Missing.

3. Response Details:

   • Kubernetes: responseStatus includes the HTTP response code (e.g., 200).
   • kube-oidc-proxy: Does not log response details, focusing solely on the request.

4. Cluster Context:

   • Kubernetes: Does not log cluster_name.
   • kube-oidc-proxy: Includes cluster_name for multi-cluster environments.

Compatibility Considerations

• Mapping Fields:

  • Most fields can be mapped directly:
    • username → email
    • uid → uid
    • groups → groups
    • requestURI → request_path
    • verb → verb
  • Additional parsing would be required for:
    • Extracting namespace, resource, and sub_resource from requestURI.

• Missing Fields in proxy:

  • responseStatus
  • sourceIPs
  • userAgent
  • kind
  • level
  • stage

• Response Data:

  • Kubernetes logs include responseStatus, while kube-oidc-proxy does not. If response tracking is required, kube-oidc-proxy logs would need enhancements.