who_shelled_into_pod
Retrieve Kubernetes audit logs to identify users who accessed pods via shell sessions for security monitoring and compliance verification.
Instructions
Get k8s audit logs with information about users who shelled into a pod
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| name | No | Optional Pod name | |
| namespace | No | Optional Pod namespace | |
| cluster_id | No | Optional Cluster ID | |
| from_time | No | Start time of the time range to search for audit events. Example: 2024-01-01T00:00:00Z. Default: 7 days ago | |
| to_time | No | End time of the time range to search for audit events. Example: 2024-01-03T00:00:00Z | |
| limit | No | Maximum number of results to return | |
| page | No | Page number to return |
Implementation Reference
- src/operations/audit.ts:17-70 (handler)The handler function that executes the core logic of the 'who_shelled_into_pod' tool. It constructs API parameters for k8s_audit_logs_anomaly findings with rule A001, fetches violations from the RAD Security API, filters them by pod name and namespace, and returns matching audit logs.
export async function whoShelledIntoPod( client: RadSecurityClient, name?: string, namespace?: string, cluster_id?: string, from_time: string = "now-7d", to_time: string = "", limit: number = 20, page: number = 1 ): Promise<any> { const params: Record<string, any> = { types: "k8s_audit_logs_anomaly", rule_ids: "A001", from: from_time , to: to_time, page: page, page_size: limit, }; if (cluster_id) { params.cluster_ids = cluster_id; } const violations = await client.makeRequest( `/accounts/${client.getAccountId()}/findings`, params ); const toReturn = []; for (const violation of violations.entries) { const auditLog = violation.source; if (!auditLog) { continue; } let match = true; if (name) { if (auditLog.objectRef && auditLog.objectRef.name !== name) { match = false; } } if (namespace) { if (auditLog.objectRef && auditLog.objectRef.namespace !== namespace) { match = false; } } if (match) { toReturn.push(auditLog); } } violations.entries = toReturn; return violations; } - src/operations/audit.ts:4-12 (schema)Zod schema defining the input parameters and validation for the 'who_shelled_into_pod' tool.
export const WhoShelledIntoPodSchema = z.object({ name: z.string().optional().describe("Optional Pod name"), namespace: z.string().optional().describe("Optional Pod namespace"), cluster_id: z.string().optional().describe("Optional Cluster ID"), from_time: z.string().optional().describe("Start time of the time range to search for audit events. Example: 2024-01-01T00:00:00Z. Default: 7 days ago"), to_time: z.string().optional().describe("End time of the time range to search for audit events. Example: 2024-01-03T00:00:00Z"), limit: z.number().optional().default(20).describe("Maximum number of results to return"), page: z.number().optional().default(1).describe("Page number to return"), }); - src/index.ts:182-187 (registration)Registration of the tool in the ListTools handler, specifying name, description, and input schema.
{ name: "who_shelled_into_pod", description: "Get k8s audit logs with information about users who shelled into a pod", inputSchema: zodToJsonSchema(audit.WhoShelledIntoPodSchema), }, - src/index.ts:817-836 (registration)Handler case in the CallToolRequest switch statement that parses arguments, invokes the whoShelledIntoPod function with the client, and formats the response.
case "who_shelled_into_pod": { const args = audit.WhoShelledIntoPodSchema.parse( request.params.arguments ); const response = await audit.whoShelledIntoPod( client, args.name, args.namespace, args.cluster_id, args.from_time, args.to_time, args.limit, args.page ); return { content: [ { type: "text", text: JSON.stringify(response, null, 2) }, ], }; }