06a5d25846
move authorizers over to new interface
...
Kubernetes-commit: 12125455d84c75562e6dd6a183762549adff747f
2017-09-29 14:21:40 -07:00
f4dbe23125
update BUILD files
...
Kubernetes-commit: aee5f457dbfd70c2d15c33e392dce6a3ca710116
2017-10-12 13:52:10 -07:00
f7e881914a
support micro time for advanced audit
...
Kubernetes-commit: 817bc6954ca9af02013fd8f492f8ef865c217b0d
2017-09-25 11:56:30 +08:00
6959d4a79a
Fill in creationtimestamp in audit events
...
Kubernetes-commit: 3dd3e7aa5243228b49211f4bb40022a719cc57ac
2017-09-09 21:44:33 +00:00
5d22e67a97
enhance unit tests of advance audit feature
...
This change does three things:
1. use auditinternal for unit test in filter stage
2. add a seperate unit test for Audit-ID http header
3. add unit test for audit log backend
Kubernetes-commit: c030026b544da2dd7ef7201019bdc0ac255c2d23
2017-09-09 21:44:30 +00:00
4905dd9b0c
Provide a way to omit Event stages in audit policy
...
Updates https://github.com/kubernetes/kubernetes/issues/48561
This provide a way to omit some stages for each audit policy rule.
For example:
apiVersion: audit.k8s.io/v1beta1
kind: Policy
- level: Metadata
resources:
- group: "rbac.authorization.k8s.io"
resources: ["roles"]
omitStages:
- "RequestReceived"
RequestReceived stage will not be emitted to audit backends with
previous config.
Kubernetes-commit: 47ba91450fbe7d9002bfc9d4a48a73256252821f
2017-09-04 14:03:48 +00:00
9f885389e9
make url parsing in apiserver configurable
...
Kubernetes-commit: ccc7c9bdfa80caee93953a96dec0d689d93f08e5
2017-09-04 14:03:48 +00:00
3c2866020c
Switch audit output to v1beta1
...
Kubernetes-commit: f3487f08c6c2444adde9ba110263c9132769332b
2017-09-03 14:04:14 +00:00
d781318aca
audit real impersonated user info
...
Log the newest impersonated user info in the second audit event. This
will help users to debug rbac problems.
Kubernetes-commit: 1c3dc52531b7761921c8855cafc58b669da111f1
2017-09-03 14:04:13 +00:00
677d724b3a
Allow audit to log authorization failures
...
Kubernetes-commit: 9fef244d4ccce0ea8daf37ab86a7af4892d000cf
2017-09-03 14:04:12 +00:00
9ab155429e
Split APIVersion into APIGroup and APIVersion in audit events
...
audit.Event.ObjectRef.APIVersion currently holds both the the API group and
version, separated by a /. This change break these out into separate fields.
This is part of:
https://github.com/kubernetes/kubernetes/issues/48561
Kubernetes-commit: c57eebfe2f8d36361d510f0afd926777a44cccd2
2017-09-01 16:38:54 +00:00
81eb3429e7
remove useless argument "name"
...
Kubernetes-commit: 2e97611bc62b88c48777d6209a0ed28d17d0e52d
2017-08-29 13:16:16 +00:00
24b54db39e
run hack/update-all.sh
...
Kubernetes-commit: 0410221c3fec1a54cde05104b92e44e13cddc77a
2017-08-29 13:16:13 +00:00
3468d049a7
upgrade advanced audit to v1beta1
...
Kubernetes-commit: f4e8b8f1464e588306d5c1c4ffdc1a6cb1e9313b
2017-08-29 13:16:13 +00:00
6c539a43c6
Use buildozer to delete licenses() rules except under third_party/
...
Kubernetes-commit: a7f49c906df816123e7d4ccbd4cebab411519465
2017-08-29 13:15:24 +00:00
6caa2933ae
Use buildozer to remove deprecated automanaged tags
...
Kubernetes-commit: 33276f06be5e872bf53ca62a095fcf0a6b6c11a8
2017-08-29 13:15:24 +00:00
4ace90bfb4
Return Audit-Id http header for trouble shooting
...
Kubernetes-commit: 4a1e7ddaa6e0d2e92ce27d9846cfc8407e1fcb60
2017-08-29 13:14:38 +00:00
44942b068a
Run hack/update-bazel.sh to generate BUILD files
...
Kubernetes-commit: 3579017b865ddbc5449d6bba87346f086e4b93ff
2017-08-29 13:13:51 +00:00
aeff5f2a0a
add a regression test for Audit-ID http header
...
This change add a test for: https://github.com/kubernetes/kubernetes/pull/48492
Kubernetes-commit: a5df09ba89f4c010eed76ffd985895aa80de9845
2017-07-16 04:08:42 +00:00
8bc6800aeb
support json output for log backend of advanced audit
...
Kubernetes-commit: bc94370e9cbf3e54dc7dab1dbfc7404815eafb4c
2017-07-16 04:08:41 +00:00
276c240fae
Fix 401/403 apiserver errors do not return 'Status' objects
...
Kubernetes-commit: 3d6479f7216dcb61e56ab6dd53fad7176930645d
2017-07-05 23:59:23 +00:00
755b51396c
remove useless check from impersonation filter
...
When groupsSpecified is false, that means no other groups are added
rather than the service account groups. So this check doesn't make
any sense.
Kubernetes-commit: 0a1e24f31e5dc1a4f193a6d564ed06e2535b2830
2017-07-01 08:39:43 +00:00
8be42ee0d0
run hack/update-all
...
Kubernetes-commit: 60604f8818aecbc9c3736fbc32747cc0a535bc80
2017-06-28 00:14:31 +00:00
81b7aaaa7d
run root-rewrite-import-client-go-api-types
...
Kubernetes-commit: f2d3220a11111f86b2f481e70e3c1ca4f5896f44
2017-06-28 00:14:31 +00:00
c396142d93
[legacy audit] add response audit for hijack
...
Kubernetes-commit: 9212b0240de33344034c829f78a0f5c86aea6a0d
2017-06-13 20:47:32 +00:00
7e0854d484
test header removal for impersonation
...
Kubernetes-commit: 38c25393df7bddd8356126634d70aa333ca1ac3b
2017-06-13 20:47:32 +00:00
42b5738617
fix invalid status code for hijacker
...
When using hijacker to take over the connection, the http status code
should be 101 not 200.
PS:
Use "kubectl exec" as an example to review this change.
Kubernetes-commit: 541935b13f87e55199840a73cd3f158e7f0d7b63
2017-06-13 20:47:31 +00:00
89caee803d
update copyed doc for advanced audit
...
doc for WithAudit is copyed from WithLegacyAudit, it's out of date.
This change update doc for these two functions.
Kubernetes-commit: 82390af25083031e244107527fe5d9491ade937b
2017-06-13 20:47:30 +00:00
91a3addb8d
Instrument advanced auditing
...
Kubernetes-commit: b77c8198f002f9a9c7bdca11d28cac1710bbb185
2017-06-13 20:47:30 +00:00
a177d01bf0
audit: uniform 2 or 3 events for short/long running requests
...
Kubernetes-commit: 548f7be8fa10b6cbedcf179af088536e76a6c0e3
2017-06-13 20:47:29 +00:00
636c532e31
audit: fill in stage
...
Kubernetes-commit: 1e94185f4425551f1c81ba7bbdbae110bc317abd
2017-06-13 20:47:29 +00:00
a54d901fa7
Fix audit level none
...
Kubernetes-commit: 93e1e54e290325d82e41d50f64057323879bdef2
2017-06-13 20:47:29 +00:00
8ff532a4cb
Implement audit policy logic
...
Kubernetes-commit: a5de309ee261aea15bb1cc12647b32640c2ac196
2017-06-13 20:47:28 +00:00
94ea219615
Update bazel
...
Kubernetes-commit: 9fdc36a47ada0bc34ee53b68edd085d368ed9012
2017-06-13 20:47:28 +00:00
f7d766d92d
audit: add audit event to the context and fill in handlers
...
Kubernetes-commit: 0b5bcb021932355b3ff7c2b45fb579f4adad84bf
2017-06-13 20:47:28 +00:00
3ffeae2ff7
hack/update-bazel.sh
...
Kubernetes-commit: 14045d253d11c801ad94f0928cb9b13a224ee18f
2017-05-13 17:27:43 +00:00
e46eb82a82
remove invocation of k8s.io/client-go/pkg/api/install
...
change import of client-go/api/helper to kubernetes/api/helper
remove unnecessary use of client-go/api.registry
change use of client-go/pkg/util to kubernetes/pkg/util
remove dependency on client-go/pkg/apis/extensions
remove unnecessary invocation of k8s.io/client-go/extension/intsall
change use of k8s.io/client-go/pkg/apis/authentication to v1
Kubernetes-commit: c354076aa41e3cf417b291d5f0eff2b70395ac30
2017-05-13 17:27:42 +00:00
e84e32eaa5
remove references to client-go/pkg/api
...
Kubernetes-commit: d978f22e04519f6eecfde839110c398dc28d4e8e
2017-05-03 20:36:26 +00:00
ad7e6c7d72
Update basic audit filter's comment message
...
Kubernetes-commit: 267288249b0dac2e7ae60bd53bef2afe8a574c28
2017-04-24 20:36:05 +00:00
28f3b58b8b
Include system:authenticated group when impersonating
...
Kubernetes-commit: 86623ed2414d98d6ddc7f28028b88d17d8d8f6ec
2017-04-21 20:35:37 +00:00
fa06d09988
remove useless check in audit.go
...
Kubernetes-commit: 4b8abd811dbea5b92c807b64b427eab296567b1d
2017-04-18 20:35:41 +00:00
2aab760a2a
autogenerated
...
Kubernetes-commit: a05c3c0efdc5822049e34b1a5a1ee259c5fb1906
2017-04-15 20:35:23 +00:00
1e2d8fe122
remove cycle that snuck into tests
2017-02-23 09:48:09 -05:00
73c30cda7e
staging/src/*: run gofmt
2017-02-23 09:48:09 -05:00
a372fcad62
Mechanical fixup imports: pkg/genericapiserver
2017-02-13 07:36:41 -05:00
f3c3e07241
Mechanical move: pkg/genericapiserver -> k8s.io/apiserver
2017-02-13 07:36:41 -05:00
Mike Danese
Jeff Grafton
Cao Shufeng
Maciej Szulik
David Eads
Shiyang Wang
Chao Xu
Tim St. Clair
Dr. Stefan Schimanski
Jordan Liggitt
xilabao