Hi SIG Auth / SIG Security,
Today, Kubernetes audit logs contain "credential ID" that identifies the particular credential that was used to authenticate to kube-apiserver. Today, this is only defined for service account JWTs, which use the token identifier (JTI claim) as the credential ID.
There's an
open PR that defines credential IDs for X.509 client certificates. Unfortunately, there's not a clear standard choice for this. Based on some discussion in the PR, we settled on taking the SHA256 hash of the serialized certificate. The linked comment sums up some of the other possible alternatives.
Are you interested in using credential IDs to correlate across multiple logs, or do you know someone who would be? We're looking for some feedback that picking `sha256(cert.Raw)` won't rule out your use case.
Taahir