audit get pods <pod-name> doesnt work

[amit-handda]

Hello,

Thanks for such a useful tool. want to raise an issue about audit feature not working for get pods <pod-name>. I dont see anything in the proxy output console. I have configured the audit as follows:

 --secure-port=443 --tls-cert-file=./tls/crt.pem --tls-private-key-file=./tls/key.pem --oidc-client-id=dd-auth --oidc-issuer-url='https://dex.xxx.com' --oidc-username-claim=email --extra-user-header-client-ip --oidc-ca-file=./ca/oidc-ca.pem --oidc-groups-claim=groups --oidc-signing-algs=RS256 --audit-policy-file=./audit.yaml --audit-log-path="-" --kubeconfig=/Users/xxx.config

I see that test for this usecase has been written. however, the same doesnt execute because of absence of ./pkg/proxy/audit/audit_test.go in the code.

I debugged the issue further to find the root cause. Its happening due to (misconfigured ?) serverConfig.RequestInfoResolver

kube-oidc-proxy/pkg/proxy/audit/audit.go

Line 81 in a8d94c0

return genericapifilters.WithRequestInfo(handler, a.serverConfig.RequestInfoResolver)

Its only resolving /apis/* as resource requests. While for get pods <pod-name> the api is /api/v1/...

Hope I am correct.
Thanks,

[amit-handda]

after I added following patch, its working

index 6dd35f5e..311c39af 100644
--- a/pkg/proxy/audit/audit.go
+++ b/pkg/proxy/audit/audit.go
@@ -31,6 +31,7 @@ func New(opts *options.AuditOptions, externalAddress string, secureServingInfo *
                // This is so watch requests are handled correctly in the audit log.
                LongRunningFunc: genericfilters.BasicLongRunningRequestCheck(
                        sets.NewString("watch"), sets.NewString()),
+               LegacyAPIGroupPrefixes: sets.NewString( "api"),
        }```

[JoshVanL]

Hi @amit-handda, thanks for catching this. I will follow up with a fix.

/assign

[JoshVanL]

Hi @amit-handda, apologies for the delay. This is still on my backlog to get to :)