Feature: support additional annotations present on openshift clusters regarding authentication.openshift.io

[nenioscio]

Motivation

When running on an openshift clusters two additional fields are presented in the event object in form annotations named authentication.openshift.io/decision and authentication.openshift.io/username.

These fields can currently not be parsed byt the k8saudit plugin and not used in filters or messages.

Feature

Please support additional openshift annotiations in the k8splugin to all creation of specific rules that operate on these fields.

I suggest the following field names an will open a pull request with a sample implementation

ka.auth.openshift.decision
ka.auth.openshift.username

Additional fields should be safe to add even for clusters that are not openshift - these fields will only have meaning on clusters exposing the annotations.

Additional context Example login event

{
  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "Metadata",
  "auditID": "3f12709d-89ee-4d8f-b9d5-587728eae393",
  "stage": "ResponseComplete",
  "requestURI": "/login",
  "verb": "post",
  "user": {
    "username": "system:anonymous",
    "groups": [
      "system:unauthenticated"
    ]
  },
  "sourceIPs": [
    "source...ip"
  ],
  "userAgent": "user...agent",
  "responseStatus": {
    "metadata": {},
    "code": 302
  },
  "requestReceivedTimestamp": "2024-05-02T16:42:51.471626Z",
  "stageTimestamp": "2024-05-02T16:42:51.604709Z",
  "annotations": {
    "authentication.openshift.io/decision": "deny",
    "authentication.openshift.io/username": "login...user",
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": ""
  }
}