Authentication audit logging - denote the authentication mechanism used. · kubernetes/kubernetes#82295

(23 留言) (0 反應) (1 負責人)Go (122,268 star) (43,066 fork)batch import

area/audithelp wantedkind/featurelifecycle/frozenpriority/important-longtermsig/auth

描述

What would you like to be added:

Logging for the authentication mechanism used by a user for requests to the API server.

Why is this needed:

At the moment Kubernetes does not put the mechanism used to authenticate a user into it's audit logs. As Kubernetes supports multiple authentication mechanisms, this could lead to a circumstance where an identical username is defined under different authentication schemes and it would be impossible to identify which had been used for a given request.

This is particularly serious in the case of client certificate authentication. As all that is required for the creation of client certificate credentials is access to the ca.key file for the cluster and credentials can be created using openssl commands, there may be no audit trail of users created with this mechanism.

An attacker who gained read-only access to that file would be able to create new credentials with the same usernames as users authenticated via other mechanisms, removing the ability of cluster operators to accurately audit user actions.

貢獻者指南

技術棧: gorest api
領域: backendsecurityobservability
議題類型: feature
難度: 3
預計時間: half day
活動狀態: blocked
清晰度: clear
前置要求: GoKubernetes authenticationaudit loggingAPI server internals
新手友善度: 50
研究方向: Start by examining the existing audit logging code in the Kubernetes API server, particularly the AuditEvent struct and how it's populated. Review the authentication flow to understand where the authentication mechanism (e.g., X509, Bearer token) is determined. The issue has been assigned, so check for any work in progress or related pull requests. Look at the comments in the issue for additional context. Then, propose modifications to include the mechanism in the audit event.