diff --git a/pkg/apis/audit/types.go b/pkg/apis/audit/types.go index 596e02202..f369b2229 100644 --- a/pkg/apis/audit/types.go +++ b/pkg/apis/audit/types.go @@ -98,6 +98,12 @@ type Event struct { // +optional ImpersonatedUser *authnv1.UserInfo // Source IPs, from where the request originated and intermediate proxies. + // The source IPs are listed from (in order): + // 1. X-Forwarded-For request header IPs + // 2. X-Real-Ip header, if not present in the X-Forwarded-For list + // 3. The remote address for the connection, if it doesn't match the last + // IP in the list up to here (X-Forwarded-For or X-Real-Ip). + // Note: All but the last IP can be arbitrarily set by the client. // +optional SourceIPs []string // UserAgent records the user agent string reported by the client. diff --git a/pkg/apis/audit/v1/generated.proto b/pkg/apis/audit/v1/generated.proto index ab77d190e..8cdb12cdf 100644 --- a/pkg/apis/audit/v1/generated.proto +++ b/pkg/apis/audit/v1/generated.proto @@ -55,6 +55,12 @@ message Event { optional k8s.io.api.authentication.v1.UserInfo impersonatedUser = 7; // Source IPs, from where the request originated and intermediate proxies. + // The source IPs are listed from (in order): + // 1. X-Forwarded-For request header IPs + // 2. X-Real-Ip header, if not present in the X-Forwarded-For list + // 3. The remote address for the connection, if it doesn't match the last + // IP in the list up to here (X-Forwarded-For or X-Real-Ip). + // Note: All but the last IP can be arbitrarily set by the client. // +optional repeated string sourceIPs = 8; diff --git a/pkg/apis/audit/v1/types.go b/pkg/apis/audit/v1/types.go index 3f70ebaa5..27f4729ea 100644 --- a/pkg/apis/audit/v1/types.go +++ b/pkg/apis/audit/v1/types.go @@ -91,6 +91,12 @@ type Event struct { // +optional ImpersonatedUser *authnv1.UserInfo `json:"impersonatedUser,omitempty" protobuf:"bytes,7,opt,name=impersonatedUser"` // Source IPs, from where the request originated and intermediate proxies. + // The source IPs are listed from (in order): + // 1. X-Forwarded-For request header IPs + // 2. X-Real-Ip header, if not present in the X-Forwarded-For list + // 3. The remote address for the connection, if it doesn't match the last + // IP in the list up to here (X-Forwarded-For or X-Real-Ip). + // Note: All but the last IP can be arbitrarily set by the client. // +optional SourceIPs []string `json:"sourceIPs,omitempty" protobuf:"bytes,8,rep,name=sourceIPs"` // UserAgent records the user agent string reported by the client.