From 5b8a366d874c7a7a6d19f7fcb1950020b1d2a07e Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Fri, 24 Jul 2020 13:10:25 -0700 Subject: [PATCH 1/2] Document the sources for the sourceIPs audit log field Kubernetes-commit: 3fa086bcded1dfb7c4889ee28b95535d056b3408 --- pkg/apis/audit/types.go | 6 ++++++ pkg/apis/audit/v1/types.go | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/pkg/apis/audit/types.go b/pkg/apis/audit/types.go index 596e02202..f369b2229 100644 --- a/pkg/apis/audit/types.go +++ b/pkg/apis/audit/types.go @@ -98,6 +98,12 @@ type Event struct { // +optional ImpersonatedUser *authnv1.UserInfo // Source IPs, from where the request originated and intermediate proxies. + // The source IPs are listed from (in order): + // 1. X-Forwarded-For request header IPs + // 2. X-Real-Ip header, if not present in the X-Forwarded-For list + // 3. The remote address for the connection, if it doesn't match the last + // IP in the list up to here (X-Forwarded-For or X-Real-Ip). + // Note: All but the last IP can be arbitrarily set by the client. // +optional SourceIPs []string // UserAgent records the user agent string reported by the client. diff --git a/pkg/apis/audit/v1/types.go b/pkg/apis/audit/v1/types.go index 3f70ebaa5..27f4729ea 100644 --- a/pkg/apis/audit/v1/types.go +++ b/pkg/apis/audit/v1/types.go @@ -91,6 +91,12 @@ type Event struct { // +optional ImpersonatedUser *authnv1.UserInfo `json:"impersonatedUser,omitempty" protobuf:"bytes,7,opt,name=impersonatedUser"` // Source IPs, from where the request originated and intermediate proxies. + // The source IPs are listed from (in order): + // 1. X-Forwarded-For request header IPs + // 2. X-Real-Ip header, if not present in the X-Forwarded-For list + // 3. The remote address for the connection, if it doesn't match the last + // IP in the list up to here (X-Forwarded-For or X-Real-Ip). + // Note: All but the last IP can be arbitrarily set by the client. // +optional SourceIPs []string `json:"sourceIPs,omitempty" protobuf:"bytes,8,rep,name=sourceIPs"` // UserAgent records the user agent string reported by the client. From 237dd3829d72e032ac8fcf654f439a2fac7ed6cc Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Wed, 9 Sep 2020 12:01:51 -0700 Subject: [PATCH 2/2] generated files Kubernetes-commit: a67b32ce9c7f1da293a8bb0fc98d3d15f111e660 --- pkg/apis/audit/v1/generated.proto | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/apis/audit/v1/generated.proto b/pkg/apis/audit/v1/generated.proto index ab77d190e..8cdb12cdf 100644 --- a/pkg/apis/audit/v1/generated.proto +++ b/pkg/apis/audit/v1/generated.proto @@ -55,6 +55,12 @@ message Event { optional k8s.io.api.authentication.v1.UserInfo impersonatedUser = 7; // Source IPs, from where the request originated and intermediate proxies. + // The source IPs are listed from (in order): + // 1. X-Forwarded-For request header IPs + // 2. X-Real-Ip header, if not present in the X-Forwarded-For list + // 3. The remote address for the connection, if it doesn't match the last + // IP in the list up to here (X-Forwarded-For or X-Real-Ip). + // Note: All but the last IP can be arbitrarily set by the client. // +optional repeated string sourceIPs = 8;