kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #111125 from tallclair/audit-cleanup 

Delete dead audit code

Kubernetes-commit: 4c213e8d3a9b2e53d7e40a68ead77b9730207758
This commit is contained in:
Kubernetes Publisher 2022-07-18 15:36:29 -07:00
parent e77016635a 9c0ce32da0
commit 693faae89c
4 changed files with 4 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
go.mod
View File

@ -38,7 +38,7 @@ require (
google.golang.org/grpc v1.47.0
gopkg.in/natefinch/lumberjack.v2 v2.0.0
gopkg.in/square/go-jose.v2 v2.2.2
k8s.io/api v0.0.0-20220714170823-fa32a3acacac
k8s.io/api v0.0.0-20220722161207-096c9df2b1e5
k8s.io/apimachinery v0.0.0-20220715210607-cff14a57b273
k8s.io/client-go v0.0.0-20220715211111-c6bd30b9ec5f
k8s.io/component-base v0.0.0-20220714131716-acb17c407a9a
@ -119,7 +119,7 @@ require (
)
replace (
k8s.io/api => k8s.io/api v0.0.0-20220714170823-fa32a3acacac
k8s.io/api => k8s.io/api v0.0.0-20220722161207-096c9df2b1e5
k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20220715210607-cff14a57b273
k8s.io/client-go => k8s.io/client-go v0.0.0-20220715211111-c6bd30b9ec5f
k8s.io/component-base => k8s.io/component-base v0.0.0-20220714131716-acb17c407a9a

4
go.sum
View File

@ -958,8 +958,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
k8s.io/api v0.0.0-20220714170823-fa32a3acacac h1:LIfq5iBuTwIQYWgnehi7csEnj8JQMdkGELY6R4CJ6zU=
k8s.io/api v0.0.0-20220714170823-fa32a3acacac/go.mod h1:xlTZXhM5RKsAvY03javUnK13iE/4mnhKPPE4oPaILYs=
k8s.io/api v0.0.0-20220722161207-096c9df2b1e5 h1:b/hnNZkm+3G4euPDgrtSZ1N++B690LP192H2PmGr7tY=
k8s.io/api v0.0.0-20220722161207-096c9df2b1e5/go.mod h1:T8MHEjNPDTNfRwP5bawgzpmK7k3NMdSd2grr9aNemC0=
k8s.io/apimachinery v0.0.0-20220715210607-cff14a57b273 h1:IL+NsyWP9+VKUqvJnCbf/nqFSnRR4lVGR5yjkip3NJo=
k8s.io/apimachinery v0.0.0-20220715210607-cff14a57b273/go.mod h1:CNcND3K8ABL1dV2TGPzpp/lCzp9PRs+3Wo/Xn4dxzxA=
k8s.io/client-go v0.0.0-20220715211111-c6bd30b9ec5f h1:p8YuTwiKFA5PKnu0XYIphz4det9S39jzModfPJPXyc0=

53
pkg/audit/policy/enforce.go
View File

@ -1,53 +0,0 @@
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
"k8s.io/apiserver/pkg/apis/audit"
)
// EnforcePolicy drops any part of the event that doesn't conform to a policy level
// or omitStages and sets the event level accordingly
func EnforcePolicy(event *audit.Event, level audit.Level, omitStages []audit.Stage) (*audit.Event, error) {
for _, stage := range omitStages {
if event.Stage == stage {
return nil, nil
}
}
return enforceLevel(event, level)
}
func enforceLevel(event *audit.Event, level audit.Level) (*audit.Event, error) {
switch level {
case audit.LevelMetadata:
event.Level = audit.LevelMetadata
event.ResponseObject = nil
event.RequestObject = nil
case audit.LevelRequest:
event.Level = audit.LevelRequest
event.ResponseObject = nil
case audit.LevelRequestResponse:
event.Level = audit.LevelRequestResponse
case audit.LevelNone:
return nil, nil
default:
return nil, fmt.Errorf("level unknown: %s", level)
}
return event, nil
}

146
pkg/audit/policy/enforce_test.go
View File

@ -1,146 +0,0 @@
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"math/rand"
"testing"
"time"
"github.com/stretchr/testify/require"
"k8s.io/apimachinery/pkg/api/apitesting/fuzzer"
"k8s.io/apimachinery/pkg/runtime"
runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/apis/audit"
auditfuzz "k8s.io/apiserver/pkg/apis/audit/fuzzer"
)
func TestEnforcePolicy(t *testing.T) {
scheme := runtime.NewScheme()
audit.SchemeBuilder.AddToScheme(scheme)
codecs := runtimeserializer.NewCodecFactory(scheme)
rs := rand.NewSource(time.Now().UnixNano())
objectFuzzer := fuzzer.FuzzerFor(auditfuzz.Funcs, rs, codecs)
for _, tc := range []struct {
name string
level audit.Level
omitStages []audit.Stage
}{
{
name: "level metadata",
level: audit.LevelMetadata,
},
{
name: "level request",
level: audit.LevelRequest,
},
{
name: "level requestresponse",
level: audit.LevelRequestResponse,
},
{
name: "level none",
level: audit.LevelNone,
},
{
name: "level unknown",
level: audit.Level("unknown"),
},
{
name: "stage valid",
level: audit.LevelRequest,
omitStages: []audit.Stage{audit.StageRequestReceived},
},
{
name: "stage unknown",
level: audit.LevelRequest,
omitStages: []audit.Stage{"unknown"},
},
} {
t.Run(tc.name, func(t *testing.T) {
events := make([]audit.Event, 20)
omitSet := sets.NewString(ConvertStagesToStrings(tc.omitStages)...)
for i := range events {
e := &events[i]
objectFuzzer.Fuzz(e)
ev, err := EnforcePolicy(e, tc.level, tc.omitStages)
if omitSet.Has(string(e.Stage)) {
require.NoError(t, err)
require.Nil(t, ev)
return
}
switch tc.level {
case audit.LevelNone:
require.Nil(t, ev)
case audit.LevelMetadata:
expected := &audit.Event{
TypeMeta: e.TypeMeta,
Level: tc.level,
AuditID: e.AuditID,
Stage: e.Stage,
RequestURI: e.RequestURI,
Verb: e.Verb,
User: e.User,
ImpersonatedUser: e.ImpersonatedUser,
SourceIPs: e.SourceIPs,
UserAgent: e.UserAgent,
ObjectRef: e.ObjectRef,
ResponseStatus: e.ResponseStatus,
RequestReceivedTimestamp: e.RequestReceivedTimestamp,
StageTimestamp: e.StageTimestamp,
Annotations: e.Annotations,
RequestObject: nil,
ResponseObject: nil,
}
require.Equal(t, expected, ev)
case audit.LevelRequest:
expected := &audit.Event{
TypeMeta: e.TypeMeta,
Level: tc.level,
AuditID: e.AuditID,
Stage: e.Stage,
RequestURI: e.RequestURI,
Verb: e.Verb,
User: e.User,
ImpersonatedUser: e.ImpersonatedUser,
SourceIPs: e.SourceIPs,
UserAgent: e.UserAgent,
ObjectRef: e.ObjectRef,
ResponseStatus: e.ResponseStatus,
RequestReceivedTimestamp: e.RequestReceivedTimestamp,
StageTimestamp: e.StageTimestamp,
Annotations: e.Annotations,
RequestObject: e.RequestObject,
ResponseObject: nil,
}
require.Equal(t, expected, ev)
case audit.LevelRequestResponse:
expected := e.DeepCopy()
expected.Level = tc.level
require.Equal(t, expected, ev)
default:
require.Error(t, err)
return
}
require.NoError(t, err)
}
})
}
}