Improve kube exec Audit Log events
#12831
Conversation
| if err := f.cfg.StreamEmitter.EmitAuditEvent(f.ctx, execEvent); err != nil { | ||
| f.log.WithError(err).Warn("Failed to emit exec event.") | ||
| } |
There was a problem hiding this comment.
Why are we sending the ExecEvent at the end of the session rather than at the beginning?
There was a problem hiding this comment.
Before the Exec event was triggered before executing the code but it was never committed to Audit Log because it failed the validation caused by missing the Metadata.Code. This field can have two values for exec: ExecFailureCode and ExecCode.
In order for us to know if the execution failed we must trigger it and wait for its result.
This is what this MR does, in order to correctly populate the Metadata.Code with the correct value it waits until the execution finishes and commits the Exec event with the correct code, as we already do in SSH connections.
| defer func() { | ||
| // catch err by reference so we can access any write into it in the two calls that follow | ||
| onFinished(err) | ||
| }() |
There was a problem hiding this comment.
Are you sure this isn't equivalent to defer onFinished(err)?
There was a problem hiding this comment.
Yes, when you do the call to onFinished it will contain the current value for err and not catch it by reference as you can see here: https://go.dev/play/p/KapPnQZiZ7B
… exec This commit adds the `session.start` and `session.end` events to the non interactive exec commands. Before this commit the `Exec` event was not recorded in Audit Log because it missed the `Metadata.Code` field and failed the validation. This code is only known after the exec is triggered (FAILURE or SUCCESS) and so it requires that `Exec` event insertion into Audit Log must be delayed until the execution finishes (i.e. like in SSH). Given that, in order to prevent delayed log entries (execution is blocked for long time) we require the usage of `SessionStart` and `SessionEnd` events even if the session is non-interactive. Fixes #12764
…turn code After `SessionStart` event we must catch if the execution was successfull and log it in Audit Log. The session can be denied for several reasons like missing executable, RBAC restriction to the user/group... The `Exec` will only catch the initial command status (i.e. executable not found, forbidden, exit code) and the session recording will record the user actions in the shell. Fixes #12283
tigrato
force-pushed
the
tigrato/exec_fix_err_codes
branch
from
2e738f5 to
547a930
Compare
Improve the
kube execflow in Audit log.Non-interactive shells
Adds the
session.startandsession.endevents to the non-interactive exec commands.Before this commit, the
Execevent was not recorded in the Audit Log because it missed theMetadata.Codefield and failed the validation.This code is only known after the exec is triggered (FAILURE or SUCCESS) and so it requires that
Execevent insertion into the Audit Log must be delayed until the execution finishes (i.e. like in SSH).Given that, to prevent delayed log entries (execution is blocked for a long time), we require the usage of
SessionStartandSessionEndevents even if the session is non-interactive.Interactive shells:
Add the
Execevent to catch the initial command status (i.e. executable not found, forbidden, exit code) and let the session recording record the user actions in the shell.Fixes #12283
Fixes #12764