Skip to content

Instantly share code, notes, and snippets.

@Santosh1176
Created April 8, 2023 16:56
Show Gist options
  • Save Santosh1176/a901c7eb48b91cf3292a3b7d7da20665 to your computer and use it in GitHub Desktop.
Save Santosh1176/a901c7eb48b91cf3292a3b7d7da20665 to your computer and use it in GitHub Desktop.
This contains some useful jq filters to be used with kubernetes audit log, its a part of my blog on k8s audit logging.
# Pod Deleteion
(select(.verb == "delete" and .objectRefresource=="pods") | "A pod named: " + .objectRef.name + " was deleted in: " + .objectRef.namespace + " namespace" + " - [" + .stageTimestamp + " ]"),
# Pod Exec
(select(.objectRef.resource=="pods" and .objectRef.subresource == "exec") | "A shell was opened into " + .objectRef.name + " pod " + "in "+ .objectRef.namespace + " namespace" + " - [" + .stageTimestamp + " ]" ),
# Pod Creation
(select(.verb == "create" and .objectRef.resource =="pods") | "A pod named: " + .objectRef.name + " was created in: " + .objectRef.namespace + " namespace" + " - [" + .stageTimestamp + " ]"),
# ConfigMap creation
(select(.verb == "create" and .objectRef.resource =="configmaps") | "A configMap named: " + .objectRef.name + " was created in: " + .objectRef.namespace + " namespace" + " - [" + .stageTimestamp + " ]"),
# ConfigMap Deletion
(select(.verb == "delete" and .objectRef.resource =="configmaps") | "A configMap named: " + .objectRef.name + " was deleted in: " + .objectRef.namespace + " namespace" + " - [" + .stageTimestamp + " ]"),
# Secret creation
(select(.verb == "create" and .objectRef.resource =="secrets") | "A secret named: " + .objectRef.name + " was created in: " + .objectRef.namespace + " namespace" + " - [" + .stageTimestamp + " ]"),
# Secret Deletion
(select(.verb == "delete" and .objectRef.resource =="secrets") | "A secret named: " + .objectRef.name + " was deleted in: " + .objectRef.namespace + " namespace" + " - [" + .stageTimestamp + " ]"),
# ConfigMap creation with sensitive information
(select(.verb == "create" and .objectRef.resource =="configmaps" and (.requestObject.data | tostring | contains("username") or contains("password"))) | "A configMap named: " + .objectRef.name + " was created in: " + .objectRef.namespace + " namespace," + " with sensitive information " + " - [" + .stageTimestamp + " ]")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment