Why kube apiserver listing all secrets?

SHxKM · July 18, 2023, 9:58pm

I’ve got AWS EKS audit logs turned on and added some alarms, I just saw an action made by:

"user": {
    "username": "system:kube-controller-manager",
    "groups": [
      "system:authenticated"
    ]
  }

and also by apiserver, to list all secrets. Request URI:

/api/v1/secrets?limit=500&resourceVersion=0

I understand that system resources like apisever or kube-controller-manager may want to watch secrets, but why/when would they list them?

Full audit log:

{
  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "Metadata",
  "auditID": "yyy",
  "stage": "ResponseComplete",
  "requestURI": "/api/v1/secrets?limit=500&resourceVersion=0",
  "verb": "list",
  "user": {
    "username": "system:apiserver",
    "uid": "yyy-3867-49cb-ab1b-yyy",
    "groups": [
      "system:masters"
    ]
  },
  "sourceIPs": [
    "::1"
  ],
  "userAgent": "kube-apiserver/v1.24.15 (linux/amd64) kubernetes/af0byyy",
  "objectRef": {
    "resource": "secrets",
    "apiVersion": "v1"
  },
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "requestReceivedTimestamp": "2023-07-18T19:55:31.417944Z",
  "stageTimestamp": "2023-07-18T19:55:31.420243Z",
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": ""
  }
}

Topic		Replies	Views
Need a documentation or Info about logging details for kube-apiserver log General Discussions docs	1	648	August 8, 2022
Only Metadata level audit logging is required for Kubernetes microk8s	1	1137	November 25, 2022
Kube-apiserver stops accepting tokens, and secrets missing General Discussions	0	533	September 17, 2020
[Security Advisory] CVE-2022-3162: Unauthorized read of Custom Resources Announcements	0	1005	November 10, 2022
Kubernetes rbac users audit events logging General Discussions	6	1706	July 30, 2021

Why kube apiserver listing all secrets?

Related topics