From 28f8e6670ef9c333553d0a1f8dbc859d603670c2 Mon Sep 17 00:00:00 2001 From: Jefftree Date: Thu, 19 Dec 2019 12:29:37 -0800 Subject: [PATCH] audit webhook use network proxy Kubernetes-commit: cd57b830c142e2b9938ff801619070cf601c1422 --- pkg/server/options/audit.go | 17 ++++++++++++++--- plugin/pkg/audit/webhook/webhook.go | 9 +++++---- plugin/pkg/audit/webhook/webhook_test.go | 2 +- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/pkg/server/options/audit.go b/pkg/server/options/audit.go index 98b3fc615..090ef5a2b 100644 --- a/pkg/server/options/audit.go +++ b/pkg/server/options/audit.go @@ -29,6 +29,7 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime/schema" + utilnet "k8s.io/apimachinery/pkg/util/net" auditinternal "k8s.io/apiserver/pkg/apis/audit" auditv1 "k8s.io/apiserver/pkg/apis/audit/v1" auditv1alpha1 "k8s.io/apiserver/pkg/apis/audit/v1alpha1" @@ -37,6 +38,7 @@ import ( "k8s.io/apiserver/pkg/audit/policy" "k8s.io/apiserver/pkg/features" "k8s.io/apiserver/pkg/server" + "k8s.io/apiserver/pkg/server/egressselector" utilfeature "k8s.io/apiserver/pkg/util/feature" pluginbuffered "k8s.io/apiserver/plugin/pkg/audit/buffered" plugindynamic "k8s.io/apiserver/plugin/pkg/audit/dynamic" @@ -323,7 +325,16 @@ func (o *AuditOptions) ApplyTo( if checker == nil { klog.V(2).Info("No audit policy file provided, no events will be recorded for webhook backend") } else { - webhookBackend, err = o.WebhookOptions.newUntruncatedBackend() + + if c.EgressSelector != nil { + egressDialer, err := c.EgressSelector.Lookup(egressselector.Master.AsNetworkContext()) + if err != nil { + return err + } + webhookBackend, err = o.WebhookOptions.newUntruncatedBackend(egressDialer) + } else { + webhookBackend, err = o.WebhookOptions.newUntruncatedBackend(nil) + } if err != nil { return err } @@ -590,9 +601,9 @@ func (o *AuditWebhookOptions) enabled() bool { // newUntruncatedBackend returns a webhook backend without the truncate options applied // this is done so that the same trucate backend can wrap both the webhook and dynamic backends -func (o *AuditWebhookOptions) newUntruncatedBackend() (audit.Backend, error) { +func (o *AuditWebhookOptions) newUntruncatedBackend(customDial utilnet.DialFunc) (audit.Backend, error) { groupVersion, _ := schema.ParseGroupVersion(o.GroupVersionString) - webhook, err := pluginwebhook.NewBackend(o.ConfigFile, groupVersion, o.InitialBackoff) + webhook, err := pluginwebhook.NewBackend(o.ConfigFile, groupVersion, o.InitialBackoff, customDial) if err != nil { return nil, fmt.Errorf("initializing audit webhook: %v", err) } diff --git a/plugin/pkg/audit/webhook/webhook.go b/plugin/pkg/audit/webhook/webhook.go index 861ec72dd..099337331 100644 --- a/plugin/pkg/audit/webhook/webhook.go +++ b/plugin/pkg/audit/webhook/webhook.go @@ -23,6 +23,7 @@ import ( "time" "k8s.io/apimachinery/pkg/runtime/schema" + utilnet "k8s.io/apimachinery/pkg/util/net" auditinternal "k8s.io/apiserver/pkg/apis/audit" "k8s.io/apiserver/pkg/apis/audit/install" "k8s.io/apiserver/pkg/audit" @@ -60,9 +61,9 @@ func retryOnError(err error) bool { return false } -func loadWebhook(configFile string, groupVersion schema.GroupVersion, initialBackoff time.Duration) (*webhook.GenericWebhook, error) { +func loadWebhook(configFile string, groupVersion schema.GroupVersion, initialBackoff time.Duration, customDial utilnet.DialFunc) (*webhook.GenericWebhook, error) { w, err := webhook.NewGenericWebhook(audit.Scheme, audit.Codecs, configFile, - []schema.GroupVersion{groupVersion}, initialBackoff, nil) + []schema.GroupVersion{groupVersion}, initialBackoff, customDial) w.ShouldRetry = retryOnError return w, err } @@ -86,8 +87,8 @@ func NewDynamicBackend(rc *rest.RESTClient, initialBackoff time.Duration) audit. } // NewBackend returns an audit backend that sends events over HTTP to an external service. -func NewBackend(kubeConfigFile string, groupVersion schema.GroupVersion, initialBackoff time.Duration) (audit.Backend, error) { - w, err := loadWebhook(kubeConfigFile, groupVersion, initialBackoff) +func NewBackend(kubeConfigFile string, groupVersion schema.GroupVersion, initialBackoff time.Duration, customDial utilnet.DialFunc) (audit.Backend, error) { + w, err := loadWebhook(kubeConfigFile, groupVersion, initialBackoff, customDial) if err != nil { return nil, err } diff --git a/plugin/pkg/audit/webhook/webhook_test.go b/plugin/pkg/audit/webhook/webhook_test.go index 7d5dfd0c8..9c2358994 100644 --- a/plugin/pkg/audit/webhook/webhook_test.go +++ b/plugin/pkg/audit/webhook/webhook_test.go @@ -106,7 +106,7 @@ func newWebhook(t *testing.T, endpoint string, groupVersion schema.GroupVersion) // NOTE(ericchiang): Do we need to use a proper serializer? require.NoError(t, stdjson.NewEncoder(f).Encode(config), "writing kubeconfig") - b, err := NewBackend(f.Name(), groupVersion, DefaultInitialBackoff) + b, err := NewBackend(f.Name(), groupVersion, DefaultInitialBackoff, nil) require.NoError(t, err, "initializing backend") return b.(*backend)