kubernetes: portforward audit logs do not include target port information

What happened:

Check the audit log for a portforward event, it looks something like this:

...
"requestURI": "/api/v1/namespaces/default/pods/pod-name/portforward",
"verb": "create",
"objectRef": {
    "resource": "pods",
    "namespace": "default",
    "name": "pod-name",
    "apiVersion": "v1",
    "subresource": "portforward"
},
...

Which doesn’t include any information about the target port.

What you expected to happen:

The target port to be included in the audit event

Anything else we need to know?:

Based on some spelunking, this appears to be because although the docs say that the ports are specified in the query string, they actually get passed via a custom header over the portforwarding protocol - which makes them invisible to the audit controller

Environment:

  • Kubernetes version (use kubectl version): 1.20
  • Cloud provider or hardware configuration: n/a
  • OS (e.g: cat /etc/os-release): n/a
  • Kernel (e.g. uname -a): n/a
  • Install tools: n/a
  • Network plugin and version (if this is a network-related bug): n/a
  • Others: n/a

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 15 (8 by maintainers)

Most upvoted comments

I verified option 1. As @liggitt said, SPDY will not serialize PodPortForwardOptions, The simple way I can think of to get the remotePort is to insert it into req.Header.

+1
njuptlzf on Jul 12, 2021
Read more comments on GitHub
← kubernetes: Port parsing can overflow (TOB-K8S-015: Overflows when using strconv.Atoi and downcasting the result)
kubernetes: Possible Bug: Garbage Collection Not Triggered →