Merge pull request #131694 from dims/eliminate-audit-context-set-event-level

Eliminate AuditContext`s SetEventLevel Kubernetes-commit: e94babb2aa0e54950c5b1adbadccf59d24436e56
2025-05-09 17:51:19 -07:00 · 2025-05-09 17:51:19 -07:00 · 9b509bf53b
parent 2ffdf9039f 1ffdd2403f
commit 9b509bf53b
10 changed files with 20 additions and 37 deletions
--- a/go.mod
+++ b/go.mod
@ -49,7 +49,7 @@ require (
 	gopkg.in/go-jose/go-jose.v2 v2.6.3
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	k8s.io/api v0.0.0-20250503031400-f7e72be095ee
-	k8s.io/apimachinery v0.0.0-20250509073128-f7c43800319c
+	k8s.io/apimachinery v0.0.0-20250509224118-202cba0f14e5
 	k8s.io/client-go v0.0.0-20250508032644-996ce6af9b5e
 	k8s.io/component-base v0.0.0-20250506232724-41c27b0c0716
 	k8s.io/klog/v2 v2.130.1
--- a/go.sum
+++ b/go.sum
@ -369,8 +369,8 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 k8s.io/api v0.0.0-20250503031400-f7e72be095ee h1:+YExLdNpiASfnQXQfpyLIGIps0RcJPNt7NdiCVH8Bys=
 k8s.io/api v0.0.0-20250503031400-f7e72be095ee/go.mod h1:AsuSCzGYZszSLf5GB+qx8FBGGirk0I/TZUkQJFsPRAQ=
-k8s.io/apimachinery v0.0.0-20250509073128-f7c43800319c h1:AOgTXCqYQBXL3LukOqiunp3VtlOBvrvoUM9kDvG1kjM=
-k8s.io/apimachinery v0.0.0-20250509073128-f7c43800319c/go.mod h1:b+h1nads2hmyfwvvorkgHUriRTTaJ2p2mk0l03sESn8=
+k8s.io/apimachinery v0.0.0-20250509224118-202cba0f14e5 h1:HUUum3joW/FJUlpYvcEN7n8o9/4qbVx9TNorWUYv9r8=
+k8s.io/apimachinery v0.0.0-20250509224118-202cba0f14e5/go.mod h1:b+h1nads2hmyfwvvorkgHUriRTTaJ2p2mk0l03sESn8=
 k8s.io/client-go v0.0.0-20250508032644-996ce6af9b5e h1:87FD9fyCZ9Bk8dvnl1tNYE03luBomy1GNE55c9jYgxw=
 k8s.io/client-go v0.0.0-20250508032644-996ce6af9b5e/go.mod h1:dvTAhQJ95EC+zjWHIb6bgrSGDNnmsN+CewryqZhfkZY=
 k8s.io/component-base v0.0.0-20250506232724-41c27b0c0716 h1:0LG0V3rheo9y8JjS/ctgwDV7nMwNSDYZrhVsnF14yjE=
--- a/pkg/admission/audit_test.go
+++ b/pkg/admission/audit_test.go
@ -144,7 +144,10 @@ func TestWithAudit(t *testing.T) {
 		var handler Interface = fakeHandler{tc.admit, tc.admitAnnotations, tc.validate, tc.validateAnnotations, tc.handles}
 		ctx := audit.WithAuditContext(context.Background())
 		ac := audit.AuditContextFrom(ctx)
-		ac.SetEventLevel(auditinternal.LevelMetadata)
+		if err := ac.Init(audit.RequestAuditConfig{Level: auditinternal.LevelMetadata}, nil); err != nil {
+			t.Fatal(err)
+		}
+
 		auditHandler := WithAudit(handler)
 		a := attributes()

@ -186,8 +189,6 @@ func TestWithAuditConcurrency(t *testing.T) {
 	}
 	var handler Interface = fakeHandler{admitAnnotations: admitAnnotations, handles: true}
 	ctx := audit.WithAuditContext(context.Background())
-	ac := audit.AuditContextFrom(ctx)
-	ac.SetEventLevel(auditinternal.LevelMetadata)
 	auditHandler := WithAudit(handler)
 	a := attributes()

--- a/pkg/audit/context.go
+++ b/pkg/audit/context.go
@ -46,8 +46,6 @@ type AuditContext struct {
 	// initialized indicates whether requestAuditConfig and sink have been populated and are safe to read unguarded.
 	// This should only be set via Init().
 	initialized atomic.Bool
-	// initialize wraps setting requestAuditConfig and sink, and is only called via Init().
-	initialize sync.Once
 	// requestAuditConfig is the audit configuration that applies to the request.
 	// This should only be written via Init(RequestAuditConfig, Sink), and only read when initialized.Load() is true.
 	requestAuditConfig RequestAuditConfig
@ -81,16 +79,15 @@ func (ac *AuditContext) Enabled() bool {
 }

 func (ac *AuditContext) Init(requestAuditConfig RequestAuditConfig, sink Sink) error {
-	initialized := false
-	ac.initialize.Do(func() {
-		ac.requestAuditConfig = requestAuditConfig
-		ac.sink = sink
-		ac.initialized.Store(true)
-		initialized = true
-	})
-	if !initialized {
+	ac.lock.Lock()
+	defer ac.lock.Unlock()
+	if ac.initialized.Load() {
 		return errors.New("audit context was already initialized")
 	}
+	ac.requestAuditConfig = requestAuditConfig
+	ac.sink = sink
+	ac.event.Level = requestAuditConfig.Level
+	ac.initialized.Store(true)
 	return nil
 }

@ -198,12 +195,6 @@ func (ac *AuditContext) GetEventLevel() auditinternal.Level {
 	return level
 }

-func (ac *AuditContext) SetEventLevel(level auditinternal.Level) {
-	ac.visitEvent(func(event *auditinternal.Event) {
-		event.Level = level
-	})
-}
-
 func (ac *AuditContext) SetEventStage(stage auditinternal.Stage) {
 	ac.visitEvent(func(event *auditinternal.Event) {
 		event.Stage = stage
--- a/pkg/audit/request.go
+++ b/pkg/audit/request.go
@ -40,7 +40,7 @@ const (
 	userAgentTruncateSuffix = "...TRUNCATED"
 )

-func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedTimestamp time.Time, level auditinternal.Level, attribs authorizer.Attributes) {
+func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedTimestamp time.Time, attribs authorizer.Attributes) {
 	ac := AuditContextFrom(ctx)
 	if !ac.Enabled() {
 		return
@ -51,7 +51,6 @@ func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedT
 		ev.Verb = attribs.GetVerb()
 		ev.RequestURI = req.URL.RequestURI()
 		ev.UserAgent = maybeTruncateUserAgent(req)
-		ev.Level = level

 		ips := utilnet.SourceIPs(req)
 		ev.SourceIPs = make([]string, len(ips))
--- a/pkg/authentication/token/cache/cached_token_authenticator.go
+++ b/pkg/authentication/token/cache/cached_token_authenticator.go
@ -33,7 +33,6 @@ import (
 	"golang.org/x/sync/singleflight"

 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/warning"
@ -199,9 +198,6 @@ func (a *cachedTokenAuthenticator) doAuthenticateToken(ctx context.Context, toke

 		ctx = audit.WithAuditContext(ctx)
 		ac := audit.AuditContextFrom(ctx)
-		// since this is shared work between multiple requests, we have no way of knowing if any
-		// particular request supports audit annotations.  thus we always attempt to record them.
-		ac.SetEventLevel(auditinternal.LevelMetadata)

 		record.resp, record.ok, record.err = a.authenticator.AuthenticateToken(ctx, token)
 		record.annotations = ac.GetEventAnnotations()
--- a/pkg/authentication/token/cache/cached_token_authenticator_test.go
+++ b/pkg/authentication/token/cache/cached_token_authenticator_test.go
@ -35,7 +35,6 @@ import (

 	utilrand "k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/apimachinery/pkg/util/uuid"
-	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
@ -546,8 +545,6 @@ func (s *singleBenchmark) bench(b *testing.B) {
 // extraction.
 func withAudit(ctx context.Context) context.Context {
 	ctx = audit.WithAuditContext(ctx)
-	ac := audit.AuditContextFrom(ctx)
-	ac.SetEventLevel(auditinternal.LevelMetadata)
 	return ctx
 }

--- a/pkg/endpoints/filters/audit.go
+++ b/pkg/endpoints/filters/audit.go
@ -142,7 +142,7 @@ func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRul
 	if !ok {
 		requestReceivedTimestamp = time.Now()
 	}
-	audit.LogRequestMetadata(ctx, req, requestReceivedTimestamp, rac.Level, attribs)
+	audit.LogRequestMetadata(ctx, req, requestReceivedTimestamp, attribs)

 	return ac, nil
 }
--- a/pkg/endpoints/handlers/delete_test.go
+++ b/pkg/endpoints/handlers/delete_test.go
@ -34,7 +34,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apiserver/pkg/admission"
-	auditapis "k8s.io/apiserver/pkg/apis/audit"
+	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
@ -74,7 +74,9 @@ func TestDeleteResourceAuditLogRequestObject(t *testing.T) {

 	ctx := audit.WithAuditContext(context.TODO())
 	ac := audit.AuditContextFrom(ctx)
-	ac.SetEventLevel(auditapis.LevelRequestResponse)
+	if err := ac.Init(audit.RequestAuditConfig{Level: auditinternal.LevelRequestResponse}, nil); err != nil {
+		t.Fatal(err)
+	}

 	policy := metav1.DeletePropagationBackground
 	deleteOption := &metav1.DeleteOptions{
--- a/pkg/util/x509metrics/server_cert_deprecations_test.go
+++ b/pkg/util/x509metrics/server_cert_deprecations_test.go
@ -30,7 +30,6 @@ import (
 	"testing"

 	"github.com/stretchr/testify/require"
-	auditapi "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/component-base/metrics"
 	"k8s.io/component-base/metrics/testutil"
@ -247,7 +246,6 @@ func TestCheckForHostnameError(t *testing.T) {
 			}
 			req = req.WithContext(audit.WithAuditContext(req.Context()))
 			auditCtx := audit.AuditContextFrom(req.Context())
-			auditCtx.SetEventLevel(auditapi.LevelMetadata)

 			_, err = client.Transport.RoundTrip(req)

@ -390,7 +388,6 @@ func TestCheckForInsecureAlgorithmError(t *testing.T) {
 			}
 			req = req.WithContext(audit.WithAuditContext(req.Context()))
 			auditCtx := audit.AuditContextFrom(req.Context())
-			auditCtx.SetEventLevel(auditapi.LevelMetadata)

 			// can't use tlsServer.Client() as it contains the server certificate
 			// in tls.Config.Certificates. The signatures are, however, only checked