Unexpected audit logs from system:admin user in system:masters group
Issue
After configuring OpenShift's Kubernetes API audit logs to collect all accesses from users in the system:masters
group, there are a number of requests coming from the system:admin
user.
This should not be happening as the system:admin
user is protected within our company and we are not making normal users members of the system:masters
group.
Every day at the same time of day the system:admin
user performs 4 GET requests on the following API endpoints:
- /apis/config.openshift.io/v1/clusteroperators/etcd
- /apis/config.openshift.io/v1/clusteroperators/kube-scheduler
- /apis/config.openshift.io/v1/clusteroperators/kube-controller-manager
- /apis/config.openshift.io/v1/clusteroperators/kube-apiserver
Have the system:admin
credentials been compromised and is this a security concern?
Environment
OpenShift 4.8+
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.