audit webhook use network proxy
Kubernetes-commit: cd57b830c142e2b9938ff801619070cf601c1422
This commit is contained in:
Jefftree
Kubernetes Publisher
parent
f1c9537c7b
commit
28f8e6670e
|
|
@ -29,6 +29,7 @@ import (
|
||||||
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
|
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||||
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
||||||
auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
|
auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
|
||||||
auditv1alpha1 "k8s.io/apiserver/pkg/apis/audit/v1alpha1"
|
auditv1alpha1 "k8s.io/apiserver/pkg/apis/audit/v1alpha1"
|
||||||
|
|
@ -37,6 +38,7 @@ import (
|
||||||
"k8s.io/apiserver/pkg/audit/policy"
|
"k8s.io/apiserver/pkg/audit/policy"
|
||||||
"k8s.io/apiserver/pkg/features"
|
"k8s.io/apiserver/pkg/features"
|
||||||
"k8s.io/apiserver/pkg/server"
|
"k8s.io/apiserver/pkg/server"
|
||||||
|
"k8s.io/apiserver/pkg/server/egressselector"
|
||||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||||
pluginbuffered "k8s.io/apiserver/plugin/pkg/audit/buffered"
|
pluginbuffered "k8s.io/apiserver/plugin/pkg/audit/buffered"
|
||||||
plugindynamic "k8s.io/apiserver/plugin/pkg/audit/dynamic"
|
plugindynamic "k8s.io/apiserver/plugin/pkg/audit/dynamic"
|
||||||
|
|
@ -323,7 +325,16 @@ func (o *AuditOptions) ApplyTo(
|
||||||
if checker == nil {
|
if checker == nil {
|
||||||
klog.V(2).Info("No audit policy file provided, no events will be recorded for webhook backend")
|
klog.V(2).Info("No audit policy file provided, no events will be recorded for webhook backend")
|
||||||
} else {
|
} else {
|
||||||
webhookBackend, err = o.WebhookOptions.newUntruncatedBackend()
|
|
||||||
|
if c.EgressSelector != nil {
|
||||||
|
egressDialer, err := c.EgressSelector.Lookup(egressselector.Master.AsNetworkContext())
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
webhookBackend, err = o.WebhookOptions.newUntruncatedBackend(egressDialer)
|
||||||
|
} else {
|
||||||
|
webhookBackend, err = o.WebhookOptions.newUntruncatedBackend(nil)
|
||||||
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
@ -590,9 +601,9 @@ func (o *AuditWebhookOptions) enabled() bool {
|
||||||
|
|
||||||
// newUntruncatedBackend returns a webhook backend without the truncate options applied
|
// newUntruncatedBackend returns a webhook backend without the truncate options applied
|
||||||
// this is done so that the same trucate backend can wrap both the webhook and dynamic backends
|
// this is done so that the same trucate backend can wrap both the webhook and dynamic backends
|
||||||
func (o *AuditWebhookOptions) newUntruncatedBackend() (audit.Backend, error) {
|
func (o *AuditWebhookOptions) newUntruncatedBackend(customDial utilnet.DialFunc) (audit.Backend, error) {
|
||||||
groupVersion, _ := schema.ParseGroupVersion(o.GroupVersionString)
|
groupVersion, _ := schema.ParseGroupVersion(o.GroupVersionString)
|
||||||
webhook, err := pluginwebhook.NewBackend(o.ConfigFile, groupVersion, o.InitialBackoff)
|
webhook, err := pluginwebhook.NewBackend(o.ConfigFile, groupVersion, o.InitialBackoff, customDial)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("initializing audit webhook: %v", err)
|
return nil, fmt.Errorf("initializing audit webhook: %v", err)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -23,6 +23,7 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
|
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||||
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
||||||
"k8s.io/apiserver/pkg/apis/audit/install"
|
"k8s.io/apiserver/pkg/apis/audit/install"
|
||||||
"k8s.io/apiserver/pkg/audit"
|
"k8s.io/apiserver/pkg/audit"
|
||||||
|
|
@ -60,9 +61,9 @@ func retryOnError(err error) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
func loadWebhook(configFile string, groupVersion schema.GroupVersion, initialBackoff time.Duration) (*webhook.GenericWebhook, error) {
|
func loadWebhook(configFile string, groupVersion schema.GroupVersion, initialBackoff time.Duration, customDial utilnet.DialFunc) (*webhook.GenericWebhook, error) {
|
||||||
w, err := webhook.NewGenericWebhook(audit.Scheme, audit.Codecs, configFile,
|
w, err := webhook.NewGenericWebhook(audit.Scheme, audit.Codecs, configFile,
|
||||||
[]schema.GroupVersion{groupVersion}, initialBackoff, nil)
|
[]schema.GroupVersion{groupVersion}, initialBackoff, customDial)
|
||||||
w.ShouldRetry = retryOnError
|
w.ShouldRetry = retryOnError
|
||||||
return w, err
|
return w, err
|
||||||
}
|
}
|
||||||
|
|
@ -86,8 +87,8 @@ func NewDynamicBackend(rc *rest.RESTClient, initialBackoff time.Duration) audit.
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewBackend returns an audit backend that sends events over HTTP to an external service.
|
// NewBackend returns an audit backend that sends events over HTTP to an external service.
|
||||||
func NewBackend(kubeConfigFile string, groupVersion schema.GroupVersion, initialBackoff time.Duration) (audit.Backend, error) {
|
func NewBackend(kubeConfigFile string, groupVersion schema.GroupVersion, initialBackoff time.Duration, customDial utilnet.DialFunc) (audit.Backend, error) {
|
||||||
w, err := loadWebhook(kubeConfigFile, groupVersion, initialBackoff)
|
w, err := loadWebhook(kubeConfigFile, groupVersion, initialBackoff, customDial)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -106,7 +106,7 @@ func newWebhook(t *testing.T, endpoint string, groupVersion schema.GroupVersion)
|
||||||
// NOTE(ericchiang): Do we need to use a proper serializer?
|
// NOTE(ericchiang): Do we need to use a proper serializer?
|
||||||
require.NoError(t, stdjson.NewEncoder(f).Encode(config), "writing kubeconfig")
|
require.NoError(t, stdjson.NewEncoder(f).Encode(config), "writing kubeconfig")
|
||||||
|
|
||||||
b, err := NewBackend(f.Name(), groupVersion, DefaultInitialBackoff)
|
b, err := NewBackend(f.Name(), groupVersion, DefaultInitialBackoff, nil)
|
||||||
require.NoError(t, err, "initializing backend")
|
require.NoError(t, err, "initializing backend")
|
||||||
|
|
||||||
return b.(*backend)
|
return b.(*backend)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue