For security reasons, I want to identify the who ran any iptables commands in the kubernetes hosts, this includes kubernetes processes (kube-proxy and kubelet). From audit logs, I can at get the commands, but I fail to know with certitude the process that ran these commands. Yes the auditd includes the PID of the process that ran the iptables commands, but these process are subject to restarts ie. change in the PID. which make external monitoring system unable to recognize if the command was ran by kubernetes process or not.
Is there a tool or a way to monitor iptables updates from kubernetes, specially the commands related to kube-proxy and kubelet?
the goal is the make the external system able ignore the iptables updates initiated by kubernetes, and focus on other suspicious activities.