@@ -21,25 +21,28 @@ You can identify pod security admission violations on a workload by viewing the
21
21
----
22
22
$ <node _name >=$(oc get node -ojsonpath='{.items[0].metadata.name}' )
23
23
----
24
+ //output example?
25
+
24
26
. To view the audit logs, run the following command:
25
27
+
26
28
[source,terminal]
27
29
----
28
- $ oc adm node-logs <node _name > -- path=kube-apiserver/
30
+ $ oc adm node-logs <node _name > -- path=kube-apiserver/ <1>
29
31
----
32
+ <1> Replace _<node_name>_ with the name of the node retrieved from the previous step.
30
33
+
31
34
.Example output
32
35
[source,terminal]
33
36
----
34
- rhel-92 .lab.local audit-2023-08 -18T18-25-41.663.log
35
- rhel-92 .lab.local audit-2023-08 -19T11-21-29.225.log
36
- rhel-92 .lab.local audit-2023-08 -20T04-16-09.622.log
37
- rhel-92 .lab.local audit-2023-08 -20T21-11-41.163.log
38
- rhel-92 .lab.local audit-2023-08 -21T14-06-10.402.log
39
- rhel-92 .lab.local audit-2023-08 -22T06-35-10.392.log
40
- rhel-92 .lab.local audit-2023-08 -22T23-26-27.667.log
41
- rhel-92 .lab.local audit-2023-08 -23T16-52-15.456.log
42
- rhel-92 .lab.local audit-2023-08 -24T07-31-55.238.log
37
+ rhel-94 .lab.local audit-2024-10 -18T18-25-41.663.log
38
+ rhel-94 .lab.local audit-2024-10 -19T11-21-29.225.log
39
+ rhel-94 .lab.local audit-2024-10 -20T04-16-09.622.log
40
+ rhel-94 .lab.local audit-2024-10 -20T21-11-41.163.log
41
+ rhel-94 .lab.local audit-2024-10 -21T14-06-10.402.log
42
+ rhel-94 .lab.local audit-2024-10 -22T06-35-10.392.log
43
+ rhel-94 .lab.local audit-2024-10 -22T23-26-27.667.log
44
+ rhel-94 .lab.local audit-2024-10 -23T16-52-15.456.log
45
+ rhel-94 .lab.local audit-2024-10 -24T07-31-55.238.log
43
46
----
44
47
45
48
. To parse the affected audit logs, enter the following command:
@@ -48,5 +51,6 @@ rhel-92.lab.local audit-2023-08-24T07-31-55.238.log
48
51
----
49
52
$ oc adm node-logs <node _name > -- path=kube-apiserver/audit.log \
50
53
| jq -r 'select((.annotations["pod-security.kubernetes.io/audit-violations"] != null) and (.objectRef.resource=="pods")) | .objectRef.namespace + " " + .objectRef.name + " " + .objectRef.resource' \
51
- | sort | uniq -c
52
- ----
54
+ | sort | uniq -c <1>
55
+ ----
56
+ <1> Replace _<node_name>_ with the name of the node retrieved from the previous step.
0 commit comments