who_shelled_into_pod
Identify users who accessed a specific Kubernetes pod by name, namespace, and time range. Audit shell access events to enhance cluster security and monitor activity.
Instructions
Get users who shelled into a pod with the given name and namespace around the given time
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| cluster_id | No | Optional Cluster ID | |
| from_time | No | Start time of the time range to search for audit events. Example: 2024-01-01T00:00:00Z. Default: 7 days ago | |
| limit | No | Maximum number of results to return | |
| name | No | Optional Pod name | |
| namespace | No | Optional Pod namespace | |
| page | No | Page number to return | |
| to_time | No | End time of the time range to search for audit events. Example: 2024-01-03T00:00:00Z |
Implementation Reference
- src/operations/audit.ts:17-70 (handler)Main handler function that queries the RAD Security API for k8s audit log anomalies (rule A001), filters results by pod name and namespace, and returns matching audit logs.export async function whoShelledIntoPod( client: RadSecurityClient, name?: string, namespace?: string, cluster_id?: string, from_time: string = "now-7d", to_time: string = "", limit: number = 20, page: number = 1 ): Promise<any> { const params: Record<string, any> = { types: "k8s_audit_logs_anomaly", rule_ids: "A001", from: from_time , to: to_time, page: page, page_size: limit, }; if (cluster_id) { params.cluster_ids = cluster_id; } const violations = await client.makeRequest( `/accounts/${client.getAccountId()}/findings`, params ); const toReturn = []; for (const violation of violations.entries) { const auditLog = violation.source; if (!auditLog) { continue; } let match = true; if (name) { if (auditLog.objectRef && auditLog.objectRef.name !== name) { match = false; } } if (namespace) { if (auditLog.objectRef && auditLog.objectRef.namespace !== namespace) { match = false; } } if (match) { toReturn.push(auditLog); } } violations.entries = toReturn; return violations; }
- src/operations/audit.ts:4-12 (schema)Zod schema defining the input parameters for the who_shelled_into_pod tool, including optional filters for pod name, namespace, cluster, time range, limit, and page.export const WhoShelledIntoPodSchema = z.object({ name: z.string().optional().describe("Optional Pod name"), namespace: z.string().optional().describe("Optional Pod namespace"), cluster_id: z.string().optional().describe("Optional Cluster ID"), from_time: z.string().optional().describe("Start time of the time range to search for audit events. Example: 2024-01-01T00:00:00Z. Default: 7 days ago"), to_time: z.string().optional().describe("End time of the time range to search for audit events. Example: 2024-01-03T00:00:00Z"), limit: z.number().optional().default(20).describe("Maximum number of results to return"), page: z.number().optional().default(1).describe("Page number to return"), });
- src/index.ts:155-158 (registration)Tool registration in the MCP server's list of tools, providing name, description, and input schema (converted from Zod).name: "who_shelled_into_pod", description: "Get k8s audit logs with information about users who shelled into a pod", inputSchema: zodToJsonSchema(audit.WhoShelledIntoPodSchema), },
- src/index.ts:452-467 (handler)MCP CallToolRequest handler case that parses input arguments and delegates to the whoShelledIntoPod implementation, formatting response as JSON text.case "who_shelled_into_pod": { const args = audit.WhoShelledIntoPodSchema.parse(request.params.arguments); const response = await audit.whoShelledIntoPod( client, args.name, args.namespace, args.cluster_id, args.from_time, args.to_time, args.limit, args.page ); return { content: [{ type: "text", text: JSON.stringify(response, null, 2) }], }; }