Audit Event on Pod Exec

 1apiVersion: kyverno.io/v2beta1
 2kind: ClusterPolicy
 3metadata:
 4  name: audit-event-on-exec
 5  annotations:
 6    policies.kyverno.io/title: Audit Event on Pod Exec
 7    policies.kyverno.io/category: Other
 8    kyverno.io/kyverno-version: 1.10.0
 9    policies.kyverno.io/minversion: 1.10.0
10    kyverno.io/kubernetes-version: "1.26"
11    policies.kyverno.io/subject: Pod
12    policies.kyverno.io/description: >-
13      Kubernetes Events are limited in that the circumstances under which they are created
14      cannot be changed and with what they are associated is fixed. It may be advantageous
15      in many cases to augment these out-of-the-box Events with custom Events which can be
16      custom designed to your needs. This policy generates an Event on a Pod when an exec
17      has been made to it. It lists the userInfo of the actor performing the exec along
18      with the command used in the exec.
19spec:
20  background: false
21  rules:
22  - name: generate-event-on-exec
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod/exec
28    context:
29    - name: parentPodUID
30      apiCall:
31        urlPath: "/api/v1/namespaces/{{request.namespace}}/pods/{{request.name}}"
32        jmesPath: "metadata.uid"
33    generate:
34      apiVersion: v1
35      kind: Event
36      name: "exec.{{ random('[a-z0-9]{6}') }}"
37      namespace: "{{request.namespace}}"
38      synchronize: false
39      data:
40        firstTimestamp: "{{ time_now_utc() }}"
41        involvedObject:
42          apiVersion: v1
43          kind: Pod
44          name: "{{ request.name }}"
45          namespace: "{{ request.namespace }}"
46          uid: "{{ parentPodUID }}"
47        lastTimestamp: "{{ time_now_utc() }}"
48        message: An exec was performed by {{ request.userInfo | to_string(@) }} running commands {{ request.object.command }}
49        reason: Exec
50        source:
51          component: kyverno
52        type: Warning