Home / server / Questions / 1036536
Accepted
Hakan Baba
Asked: 2020-10-06 20:02:19 +0800 CST

How to see usage patterns of the `kubectl exec` command?

  • 772

In a kubernetes cluster I am trying to understand how the kubectl exec is used by the users. Users are exec'ing into which pods in which namespaces? What is the best way to discover that?

I think the audit logs are a good starting point but I am not sure whether I would find what I am looking for there.

kubernetes

1 Answers

  1. Best Answer

    Yes, the pod/exec request is tracked just like any other request in the audit log, and it even appears to track the command issued (although that won't be as helpful if the command is just sh or bash)

    {
  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "Request",
  "auditID": "0f5bcb21-ef16-443e-bca2-1d26209207b9",
  "stage": "ResponseStarted",
  "requestURI": "/api/v1/namespaces/kube-system/pods/sample-647b485b68-4tc9h/exec?command=ps&command=auwx&container=sample&stderr=true&stdout=true",
  "verb": "create",
  "user": {
    "username": "kubernetes-admin",
    "groups": [
      "system:masters",
      "system:authenticated"
    ]
  },
  "sourceIPs": [
    "10.128.4.90"
  ],
  "userAgent": "kubectl/v1.19.2 (linux/amd64) kubernetes/f574309",
  "objectRef": {
    "resource": "pods",
    "namespace": "kube-system",
    "name": "sample-647b485b68-4tc9h",
    "apiVersion": "v1",
    "subresource": "exec"
  },
  "responseStatus": {
    "metadata": {},
    "code": 101
  },
  "requestReceivedTimestamp": "2020-10-06T16:06:48.205785Z",
  "stageTimestamp": "2020-10-06T16:06:48.258680Z",
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": ""
  }
}
    • 3