Merge pull request #113564 from tallclair/audit-config
Combine RequestAuditConfig with RequestAuditConfigWithLevel Kubernetes-commit: a8b2f4b6959857f940dbb7dc0218b3ec7a462eb1
This commit is contained in:
Kubernetes Publisher
commit
a57b416dc6
4
go.mod
4
go.mod
|
|
@ -43,7 +43,7 @@ require (
|
|||
gopkg.in/natefinch/lumberjack.v2 v2.0.0
|
||||
gopkg.in/square/go-jose.v2 v2.2.2
|
||||
k8s.io/api v0.0.0-20221207015603-ed9fa272abb9
|
||||
k8s.io/apimachinery v0.0.0-20221207014915-9bd0499e768a
|
||||
k8s.io/apimachinery v0.0.0-20221209232824-2e6c99af8b72
|
||||
k8s.io/client-go v0.0.0-20221207020356-6cbd19f22fe1
|
||||
k8s.io/component-base v0.0.0-20221207022911-5a27a217e76d
|
||||
k8s.io/klog/v2 v2.80.1
|
||||
|
|
@ -123,7 +123,7 @@ require (
|
|||
|
||||
replace (
|
||||
k8s.io/api => k8s.io/api v0.0.0-20221207015603-ed9fa272abb9
|
||||
k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20221207014915-9bd0499e768a
|
||||
k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20221209232824-2e6c99af8b72
|
||||
k8s.io/client-go => k8s.io/client-go v0.0.0-20221207020356-6cbd19f22fe1
|
||||
k8s.io/component-base => k8s.io/component-base v0.0.0-20221207022911-5a27a217e76d
|
||||
k8s.io/kms => k8s.io/kms v0.0.0-20221207023524-ba41d7b79a8d
|
||||
|
|
|
|||
4
go.sum
4
go.sum
|
|
@ -988,8 +988,8 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
|
|||
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
|
||||
k8s.io/api v0.0.0-20221207015603-ed9fa272abb9 h1:HLAJNDewiVFOPssbWj15wbBwf+hux5vvKmb/IPOYRA0=
|
||||
k8s.io/api v0.0.0-20221207015603-ed9fa272abb9/go.mod h1:vEl0AqSszI3xQA7JB97wMoYep+pWYIJ0q/Y02t23lBE=
|
||||
k8s.io/apimachinery v0.0.0-20221207014915-9bd0499e768a h1:fTLcpcQ80F7+fAF/GSC2IWZAD1V3NcOy4kO0kdDRujQ=
|
||||
k8s.io/apimachinery v0.0.0-20221207014915-9bd0499e768a/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74=
|
||||
k8s.io/apimachinery v0.0.0-20221209232824-2e6c99af8b72 h1:z8gl4KftM5LFWJyJ3D0+iGodkGpODLL55sSsZbf/A1Y=
|
||||
k8s.io/apimachinery v0.0.0-20221209232824-2e6c99af8b72/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74=
|
||||
k8s.io/client-go v0.0.0-20221207020356-6cbd19f22fe1 h1:9B050CQqaBS1G2H/dAO67XbJ30PE3s/yWVFefBB0Oak=
|
||||
k8s.io/client-go v0.0.0-20221207020356-6cbd19f22fe1/go.mod h1:Lk4W/cYdvdsKpRejBDyRXFIuPbmhqH+BqPqoO7BBNpE=
|
||||
k8s.io/component-base v0.0.0-20221207022911-5a27a217e76d h1:EFaKqZSBLxj6YLvdCsvv+Lj3XNtSR1C7I2qO5AGB0ow=
|
||||
|
|
|
|||
|
|
@ -25,6 +25,9 @@ import (
|
|||
// a given request. PolicyRuleEvaluator evaluates the audit policy against the
|
||||
// authorizer attributes and returns a RequestAuditConfig that applies to the request.
|
||||
type RequestAuditConfig struct {
|
||||
// Level at which the request is being audited at
|
||||
Level audit.Level
|
||||
|
||||
// OmitStages is the stages that need to be omitted from being audited.
|
||||
OmitStages []audit.Stage
|
||||
|
||||
|
|
@ -33,21 +36,10 @@ type RequestAuditConfig struct {
|
|||
OmitManagedFields bool
|
||||
}
|
||||
|
||||
// RequestAuditConfigWithLevel includes Level at which the request is being audited.
|
||||
// PolicyRuleEvaluator evaluates the audit configuration for a request
|
||||
// against the authorizer attributes and returns an RequestAuditConfigWithLevel
|
||||
// that applies to the request.
|
||||
type RequestAuditConfigWithLevel struct {
|
||||
RequestAuditConfig
|
||||
|
||||
// Level at which the request is being audited at
|
||||
Level audit.Level
|
||||
}
|
||||
|
||||
// PolicyRuleEvaluator exposes methods for evaluating the policy rules.
|
||||
type PolicyRuleEvaluator interface {
|
||||
// EvaluatePolicyRule evaluates the audit policy of the apiserver against
|
||||
// the given authorizer attributes and returns the audit configuration that
|
||||
// is applicable to the given equest.
|
||||
EvaluatePolicyRule(authorizer.Attributes) RequestAuditConfigWithLevel
|
||||
EvaluatePolicyRule(authorizer.Attributes) RequestAuditConfig
|
||||
}
|
||||
|
|
|
|||
|
|
@ -61,25 +61,21 @@ type policyRuleEvaluator struct {
|
|||
audit.Policy
|
||||
}
|
||||
|
||||
func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel {
|
||||
func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) auditinternal.RequestAuditConfig {
|
||||
for _, rule := range p.Rules {
|
||||
if ruleMatches(&rule, attrs) {
|
||||
return auditinternal.RequestAuditConfigWithLevel{
|
||||
return auditinternal.RequestAuditConfig{
|
||||
Level: rule.Level,
|
||||
RequestAuditConfig: auditinternal.RequestAuditConfig{
|
||||
OmitStages: rule.OmitStages,
|
||||
OmitManagedFields: isOmitManagedFields(&rule, p.OmitManagedFields),
|
||||
},
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return auditinternal.RequestAuditConfigWithLevel{
|
||||
return auditinternal.RequestAuditConfig{
|
||||
Level: DefaultAuditLevel,
|
||||
RequestAuditConfig: auditinternal.RequestAuditConfig{
|
||||
OmitStages: p.OmitStages,
|
||||
OmitManagedFields: p.OmitManagedFields,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -235,11 +231,9 @@ type fakePolicyRuleEvaluator struct {
|
|||
stage []audit.Stage
|
||||
}
|
||||
|
||||
func (f *fakePolicyRuleEvaluator) EvaluatePolicyRule(_ authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel {
|
||||
return auditinternal.RequestAuditConfigWithLevel{
|
||||
func (f *fakePolicyRuleEvaluator) EvaluatePolicyRule(_ authorizer.Attributes) auditinternal.RequestAuditConfig {
|
||||
return auditinternal.RequestAuditConfig{
|
||||
Level: f.level,
|
||||
RequestAuditConfig: auditinternal.RequestAuditConfig{
|
||||
OmitStages: f.stage,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -133,10 +133,10 @@ func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRul
|
|||
return ac, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err)
|
||||
}
|
||||
|
||||
ls := policy.EvaluatePolicyRule(attribs)
|
||||
audit.ObservePolicyLevel(ctx, ls.Level)
|
||||
ac.RequestAuditConfig = ls.RequestAuditConfig
|
||||
if ls.Level == auditinternal.LevelNone {
|
||||
rac := policy.EvaluatePolicyRule(attribs)
|
||||
audit.ObservePolicyLevel(ctx, rac.Level)
|
||||
ac.RequestAuditConfig = rac
|
||||
if rac.Level == auditinternal.LevelNone {
|
||||
// Don't audit.
|
||||
return ac, nil
|
||||
}
|
||||
|
|
@ -145,7 +145,7 @@ func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRul
|
|||
if !ok {
|
||||
requestReceivedTimestamp = time.Now()
|
||||
}
|
||||
ev, err := audit.NewEventFromRequest(req, requestReceivedTimestamp, ls.Level, attribs)
|
||||
ev, err := audit.NewEventFromRequest(req, requestReceivedTimestamp, rac.Level, attribs)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to complete audit event from request: %v", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -780,10 +780,9 @@ func (a *fakeAudit) requestAudited(auditID string) bool {
|
|||
return exists
|
||||
}
|
||||
|
||||
func (a *fakeAudit) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfigWithLevel {
|
||||
return audit.RequestAuditConfigWithLevel{
|
||||
func (a *fakeAudit) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfig {
|
||||
return audit.RequestAuditConfig{
|
||||
Level: auditinternal.LevelMetadata,
|
||||
RequestAuditConfig: audit.RequestAuditConfig{},
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue