From 3fa086bcded1dfb7c4889ee28b95535d056b3408 Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Fri, 24 Jul 2020 13:10:25 -0700 Subject: [PATCH 1/2] Document the sources for the sourceIPs audit log field --- staging/src/k8s.io/apiserver/pkg/apis/audit/types.go | 6 ++++++ staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go index 596e0220260..f369b2229b9 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go @@ -98,6 +98,12 @@ type Event struct { // +optional ImpersonatedUser *authnv1.UserInfo // Source IPs, from where the request originated and intermediate proxies. + // The source IPs are listed from (in order): + // 1. X-Forwarded-For request header IPs + // 2. X-Real-Ip header, if not present in the X-Forwarded-For list + // 3. The remote address for the connection, if it doesn't match the last + // IP in the list up to here (X-Forwarded-For or X-Real-Ip). + // Note: All but the last IP can be arbitrarily set by the client. // +optional SourceIPs []string // UserAgent records the user agent string reported by the client. diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go index 3f70ebaa516..27f4729eaaf 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go @@ -91,6 +91,12 @@ type Event struct { // +optional ImpersonatedUser *authnv1.UserInfo `json:"impersonatedUser,omitempty" protobuf:"bytes,7,opt,name=impersonatedUser"` // Source IPs, from where the request originated and intermediate proxies. + // The source IPs are listed from (in order): + // 1. X-Forwarded-For request header IPs + // 2. X-Real-Ip header, if not present in the X-Forwarded-For list + // 3. The remote address for the connection, if it doesn't match the last + // IP in the list up to here (X-Forwarded-For or X-Real-Ip). + // Note: All but the last IP can be arbitrarily set by the client. // +optional SourceIPs []string `json:"sourceIPs,omitempty" protobuf:"bytes,8,rep,name=sourceIPs"` // UserAgent records the user agent string reported by the client. From a67b32ce9c7f1da293a8bb0fc98d3d15f111e660 Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Wed, 9 Sep 2020 12:01:51 -0700 Subject: [PATCH 2/2] generated files --- pkg/generated/openapi/zz_generated.openapi.go | 2 +- .../src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index fc6a2bdb727..f2dc44c3d90 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -46051,7 +46051,7 @@ func schema_pkg_apis_audit_v1_Event(ref common.ReferenceCallback) common.OpenAPI }, "sourceIPs": { SchemaProps: spec.SchemaProps{ - Description: "Source IPs, from where the request originated and intermediate proxies.", + Description: "Source IPs, from where the request originated and intermediate proxies. The source IPs are listed from (in order): 1. X-Forwarded-For request header IPs 2. X-Real-Ip header, if not present in the X-Forwarded-For list 3. The remote address for the connection, if it doesn't match the last\n IP in the list up to here (X-Forwarded-For or X-Real-Ip).\nNote: All but the last IP can be arbitrarily set by the client.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto index ab77d190ee9..8cdb12cdf96 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto @@ -55,6 +55,12 @@ message Event { optional k8s.io.api.authentication.v1.UserInfo impersonatedUser = 7; // Source IPs, from where the request originated and intermediate proxies. + // The source IPs are listed from (in order): + // 1. X-Forwarded-For request header IPs + // 2. X-Real-Ip header, if not present in the X-Forwarded-For list + // 3. The remote address for the connection, if it doesn't match the last + // IP in the list up to here (X-Forwarded-For or X-Real-Ip). + // Note: All but the last IP can be arbitrarily set by the client. // +optional repeated string sourceIPs = 8;