From 3fa086bcded1dfb7c4889ee28b95535d056b3408 Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Fri, 24 Jul 2020 13:10:25 -0700 Subject: [PATCH] Document the sources for the sourceIPs audit log field --- staging/src/k8s.io/apiserver/pkg/apis/audit/types.go | 6 ++++++ staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go index 596e0220260..f369b2229b9 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go @@ -98,6 +98,12 @@ type Event struct { // +optional ImpersonatedUser *authnv1.UserInfo // Source IPs, from where the request originated and intermediate proxies. + // The source IPs are listed from (in order): + // 1. X-Forwarded-For request header IPs + // 2. X-Real-Ip header, if not present in the X-Forwarded-For list + // 3. The remote address for the connection, if it doesn't match the last + // IP in the list up to here (X-Forwarded-For or X-Real-Ip). + // Note: All but the last IP can be arbitrarily set by the client. // +optional SourceIPs []string // UserAgent records the user agent string reported by the client. diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go index 3f70ebaa516..27f4729eaaf 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go @@ -91,6 +91,12 @@ type Event struct { // +optional ImpersonatedUser *authnv1.UserInfo `json:"impersonatedUser,omitempty" protobuf:"bytes,7,opt,name=impersonatedUser"` // Source IPs, from where the request originated and intermediate proxies. + // The source IPs are listed from (in order): + // 1. X-Forwarded-For request header IPs + // 2. X-Real-Ip header, if not present in the X-Forwarded-For list + // 3. The remote address for the connection, if it doesn't match the last + // IP in the list up to here (X-Forwarded-For or X-Real-Ip). + // Note: All but the last IP can be arbitrarily set by the client. // +optional SourceIPs []string `json:"sourceIPs,omitempty" protobuf:"bytes,8,rep,name=sourceIPs"` // UserAgent records the user agent string reported by the client.