kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,400 Commits 30 Branches 1,482 Tags 31 MiB
Commit Graph

12 Commits

Author SHA1 Message Date
Tim Allclair 919e9045fa Combine RequestAuditConfig with RequestAuditConfigWithLevel 
Kubernetes-commit: 1a1ca5173ea0f6b06a74d4a26e694cff521a2f8e
 2022-11-02 15:23:48 -07:00
Abu Kashem 7afcd94ea2 apiserver: evaluate OmitManagedFields 
Kubernetes-commit: 7ea7c2029feb6e7ef2a50ecd179953812f45abbf
 2021-10-06 16:16:38 -04:00
Abu Kashem 0e3e7334bb apiserver: refactor PolicyRuleEvaluator to return a struct 
Kubernetes-commit: a748fdc6775c63b52a1a963e2332ac774890d2a9
 2021-09-20 17:44:11 -04:00
Abu Kashem 450b7e8f12 rename audit Checker interface 
Kubernetes-commit: 27f150351475adaef416bd893403e7066b70d33a
 2021-03-24 13:07:21 -04:00
Guangming Wang ab9ec5ee43 fix: replace TrimLeft with TrimPrefix and TrimRight with TrimSuffix 
Kubernetes-commit: 51b7ef2c87e3321668fedecbbc02c1a16357033d
 2019-12-02 21:27:15 +08:00
Cao Shufeng 01b15f1056 fix invalid match rules for advanced audit policy 
When users or groups are set in a rule, this rule should not match
attribute with unauthorized request where user and group are nil.

Kubernetes-commit: 9a7acaae1d5015886cc7c3bc46fc3d973045dc2a
 2018-02-06 14:05:57 +08:00
hzxuzhonghu a94f246093 audit support wildcard matching subresources 
Kubernetes-commit: 6e83d88be906c174ab3860eec70f2a4aec0ecb48
 2017-11-08 16:03:26 +08:00
Cao Shufeng d3301ca8d8 [advanced audit]add a policy wide omitStage 
Kubernetes-commit: d75c0f0e21af8229ed3147e9a798441221c03574
 2017-10-27 10:01:01 +08:00
Cao Shufeng 4905dd9b0c Provide a way to omit Event stages in audit policy 
Updates https://github.com/kubernetes/kubernetes/issues/48561
This provide a way to omit some stages for each audit policy rule.

For example:
  apiVersion: audit.k8s.io/v1beta1
  kind: Policy
  - level: Metadata
    resources:
       - group: "rbac.authorization.k8s.io"
         resources: ["roles"]
    omitStages:
      - "RequestReceived"

RequestReceived stage will not be emitted to audit backends with
previous config.

Kubernetes-commit: 47ba91450fbe7d9002bfc9d4a48a73256252821f
 2017-09-04 14:03:48 +00:00
Maciej Szulik 677d724b3a Allow audit to log authorization failures 
Kubernetes-commit: 9fef244d4ccce0ea8daf37ab86a7af4892d000cf
 2017-09-03 14:04:12 +00:00
Eric Chiang 1fa829c7c8 Audit policy v1beta1 now supports matching subresources and resource names. 
policy:
	- level: Metadata
	  resources:
	  - group: ""
	    resources ["pods/logs"]
	- level: None
	  resources:
	  - group: ""
	    resources: ["configmaps"]
	    resourceNames: ["controller-leader"]

The top level resource no longer matches the subresource. For example "pods"
no longer matches requests to the logs subresource on pods.

```release-note
Audit policy supports matching subresources and resource names, but the top level resource no longer matches the subresouce. For example "pods" no longer matches requests to the logs subresource of pods. Use "pods/logs" to match subresources.
```

Kubernetes-commit: 85491f1578b9b97751a332d3b957d874cecf27b3
 2017-09-01 16:38:01 +00:00
Tim St. Clair 8ff532a4cb Implement audit policy logic 
Kubernetes-commit: a5de309ee261aea15bb1cc12647b32640c2ac196
 2017-06-13 20:47:28 +00:00