Merge pull request #93438 from tallclair/audit-ips

Document the sources for the sourceIPs audit log field Kubernetes-commit: 0bbb617412e6c281e3a1ab9512457b86f8e2f20d
acorn-io · Mar 29, 2022 · 625cf21 · 625cf21
2 parents d39da46 + 237dd38
commit 625cf21
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/pkg/apis/audit/types.go b/pkg/apis/audit/types.go
@@ -98,6 +98,12 @@ type Event struct {
 	// +optional
 	ImpersonatedUser *authnv1.UserInfo
 	// Source IPs, from where the request originated and intermediate proxies.
+	// The source IPs are listed from (in order):
+	// 1. X-Forwarded-For request header IPs
+	// 2. X-Real-Ip header, if not present in the X-Forwarded-For list
+	// 3. The remote address for the connection, if it doesn't match the last
+	//    IP in the list up to here (X-Forwarded-For or X-Real-Ip).
+	// Note: All but the last IP can be arbitrarily set by the client.
 	// +optional
 	SourceIPs []string
 	// UserAgent records the user agent string reported by the client.

diff --git a/pkg/apis/audit/v1/generated.proto b/pkg/apis/audit/v1/generated.proto
diff --git a/pkg/apis/audit/v1/types.go b/pkg/apis/audit/v1/types.go
@@ -91,6 +91,12 @@ type Event struct {
 	// +optional
 	ImpersonatedUser *authnv1.UserInfo `json:"impersonatedUser,omitempty" protobuf:"bytes,7,opt,name=impersonatedUser"`
 	// Source IPs, from where the request originated and intermediate proxies.
+	// The source IPs are listed from (in order):
+	// 1. X-Forwarded-For request header IPs
+	// 2. X-Real-Ip header, if not present in the X-Forwarded-For list
+	// 3. The remote address for the connection, if it doesn't match the last
+	//    IP in the list up to here (X-Forwarded-For or X-Real-Ip).
+	// Note: All but the last IP can be arbitrarily set by the client.
 	// +optional
 	SourceIPs []string `json:"sourceIPs,omitempty" protobuf:"bytes,8,rep,name=sourceIPs"`
 	// UserAgent records the user agent string reported by the client.