Skip to content

Instantly share code, notes, and snippets.

@sanchezl
Last active April 5, 2024 14:33
Show Gist options
  • Save sanchezl/0d8f46ddae9ecd882a1897514f12bdf9 to your computer and use it in GitHub Desktop.
Save sanchezl/0d8f46ddae9ecd882a1897514f12bdf9 to your computer and use it in GitHub Desktop.
Summarize legacy token audit log events
reduce (inputs | select(.annotations|has("authentication.k8s.io/legacy-token"))) as $e ({};
$e.annotations."authentication.k8s.io/legacy-token" as $sa
| $e.userAgent as $workload
| ( $e.requestURI | split("?")[0] | if ($e.verb == "get" or $e.verb == "update") then (split("/")[:-1]|join("/")) else . end) as $path
| .[$sa][$workload][$path].count +=1
| .[$sa][$workload][$path].verbs |= ((. + [$e.verb])|unique)
| .[$sa][$workload][$path].names |= ((. + [$e.objectRef.name // empty])|unique)
| .[$sa][$workload][$path].names |= if . | length == 0 then empty else . end
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment