Only use metadata in k8s audit event for secrets

Instead of using the request object to identify service account tokens, exclude any secrets activity by system users (e.g. users starting with "system:"). This allows the rules to work on k8s audit events at Metadata level instead of RequestResponse level. Also change the example objects for automated tests to ones collected at Metadata level. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-07-01 09:02:18 +00:00 · 2020-04-21 11:07:53 -07:00 · 2020-04-21 11:07:53 -07:00 · 357da40fc4
commit 357da40fc4
parent 9af7c7fd59
5 changed files with 6 additions and 9 deletions
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@ -105,9 +105,6 @@
 - macro: secret
  condition: ka.target.resource=secrets

- macro: req_service_account_token
-  condition: (jevt.value[/requestObject/type]="kubernetes.io/service-account-token")
-
 - macro: health_endpoint
  condition: ka.uri=/healthz

@ -409,7 +406,7 @@

 - rule: K8s Secret Created
  desc: Detect any attempt to create a secret. Service account tokens are excluded.
-  condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and not req_service_account_token and response_successful)
+  condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
  output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@ -417,7 +414,7 @@

 - rule: K8s Secret Deleted
  desc: Detect any attempt to delete a secret Service account tokens are excluded.
-  condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and not req_service_account_token and response_successful)
+  condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
  output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
--- a/test/trace_files/k8s_audit/create_kube_system_secret.json
+++ b/test/trace_files/k8s_audit/create_kube_system_secret.json
@ -1 +1 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"263db4e4-f0bb-41b4-913d-c03815f49be5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/kube-system/secrets","verb":"create","user":{"username":"admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kubeadm/v1.16.2 (linux/amd64) kubernetes/c97fe50","objectRef":{"resource":"secrets","namespace":"kube-system","name":"bootstrap-token-ne7bxu","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"bootstrap-token-ne7bxu","namespace":"kube-system","creationTimestamp":null},"data":{"auth-extra-groups":"c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=","expiration":"MjAyMC0wMy0yNVQxMTo1Mzo0OS0wNzowMA==","token-id":"bmU3Ynh1","token-secret":"eGNwcGRha3Z1cTJ6d3Eycw==","usage-bootstrap-authentication":"dHJ1ZQ==","usage-bootstrap-signing":"dHJ1ZQ=="},"type":"bootstrap.kubernetes.io/token"},"responseObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"bootstrap-token-ne7bxu","namespace":"kube-system","selfLink":"/api/v1/namespaces/kube-system/secrets/bootstrap-token-ne7bxu","uid":"799b20e8-a196-4061-9a55-d8c76ab092df","resourceVersion":"161","creationTimestamp":"2020-03-24T18:53:49Z"},"data":{"auth-extra-groups":"c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=","expiration":"MjAyMC0wMy0yNVQxMTo1Mzo0OS0wNzowMA==","token-id":"bmU3Ynh1","token-secret":"eGNwcGRha3Z1cTJ6d3Eycw==","usage-bootstrap-authentication":"dHJ1ZQ==","usage-bootstrap-signing":"dHJ1ZQ=="},"type":"bootstrap.kubernetes.io/token"},"requestReceivedTimestamp":"2020-03-24T18:53:49.023018Z","stageTimestamp":"2020-03-24T18:53:49.025530Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"263db4e4-f0bb-41b4-913d-c03815f49be5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/kube-system/secrets","verb":"create","user":{"username":"admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kubeadm/v1.16.2 (linux/amd64) kubernetes/c97fe50","objectRef":{"resource":"secrets","namespace":"kube-system","name":"bootstrap-token-ne7bxu","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2020-03-24T18:53:49.023018Z","stageTimestamp":"2020-03-24T18:53:49.025530Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
--- a/test/trace_files/k8s_audit/create_secret.json
+++ b/test/trace_files/k8s_audit/create_secret.json
@ -1,2 +1,2 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"c07ab0e2-9b07-4cc6-8e3b-91ac69586a1f","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/sysdig-agent/secrets","verb":"create","user":{"username":"minikube-user","groups":["system:masters","system:authenticated"]},"sourceIPs":["10.0.2.15"],"userAgent":"kubectl/v1.13.3 (linux/amd64) kubernetes/721bfa7","objectRef":{"resource":"secrets","namespace":"sysdig-agent","name":"sysdig-agent","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"sysdig-agent","creationTimestamp":null},"data":{"access-key":"MzFiNGQ0YjctMDAyNi00YzI3LWJiMGItNDk5ZDZkZjg1ZGJi"},"type":"Opaque"},"responseObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"sysdig-agent","namespace":"sysdig-agent","selfLink":"/api/v1/namespaces/sysdig-agent/secrets/sysdig-agent","uid":"9c812531-09bd-11ea-a1f9-08002719228f","resourceVersion":"830","creationTimestamp":"2019-11-18T04:40:56Z"},"data":{"access-key":"MzFiNGQ0YjctMDAyNi00YzI3LWJiMGItNDk5ZDZkZjg1ZGJi"},"type":"Opaque"},"requestReceivedTimestamp":"2019-11-18T04:40:56.739299Z","stageTimestamp":"2019-11-18T04:40:56.741993Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"55a81824-ab56-46c5-8b02-96336f5e78d7","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/secrets","verb":"create","user":{"username":"minikube-user","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.64.1"],"userAgent":"kubectl/v1.17.3 (darwin/amd64) kubernetes/06ad960","objectRef":{"resource":"secrets","namespace":"default","name":"example-secret","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2020-04-21T17:57:05.541358Z","stageTimestamp":"2020-04-21T17:57:05.548299Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

--- a/test/trace_files/k8s_audit/create_service_account_token_secret.json
+++ b/test/trace_files/k8s_audit/create_service_account_token_secret.json
--- a/test/trace_files/k8s_audit/delete_secret.json
+++ b/test/trace_files/k8s_audit/delete_secret.json
@ -1 +1 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"39ca37c2-1e47-4ca9-a719-646688a4cea4","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/tes/secrets/default-token-lmq4v","verb":"delete","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.12 (linux/amd64) kubernetes/a8b5220/tokens-controller","objectRef":{"resource":"secrets","namespace":"tes","name":"default-token-lmq4v","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","code":200},"requestObject":{"kind":"DeleteOptions","apiVersion":"v1","preconditions":{"uid":"ac540c76-09c2-11ea-a1f9-08002719228f"}},"responseObject":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Success","details":{"name":"default-token-lmq4v","kind":"secrets","uid":"ac540c76-09c2-11ea-a1f9-08002719228f"}},"requestReceivedTimestamp":"2019-11-18T05:17:20.899988Z","stageTimestamp":"2019-11-18T05:17:20.904826Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"d1df3fa9-497f-49cf-bd48-60a651df8075","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/secrets/example-secret","verb":"delete","user":{"username":"minikube-user","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.64.1"],"userAgent":"kubectl/v1.17.3 (darwin/amd64) kubernetes/06ad960","objectRef":{"resource":"secrets","namespace":"default","name":"example-secret","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","code":200},"requestReceivedTimestamp":"2020-04-21T17:58:49.691845Z","stageTimestamp":"2020-04-21T17:58:49.696309Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}