kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
2,013 Commits 29 Branches 1,436 Tags 31 MiB
Commit Graph

53 Commits

Author SHA1 Message Date
David Eads 3aa496e8ef allow audit policy to be loaded from any byte source 
Kubernetes-commit: 5d46ff41d85a825d508d8c9ec32b90a27de18350
 2018-09-13 14:25:16 -04:00
Christoph Blecker 92e87e143a Update gofmt for go1.11 
Kubernetes-commit: 97b2992dc191a357e2167eff5035ce26237a4799
 2018-10-05 12:59:38 -07:00
Cao Shufeng b40373204e use Audit v1 api and add it to some unit tests 
Kubernetes-commit: 716dc87a1095027f9ab08ee59abfffab1d15ec29
 2018-07-27 14:06:29 +08:00
Cao Shufeng 28497af6f8 upgrade advanced Audit to stable 
Kubernetes-commit: 6d2c2ef1697aa2671358e383e258735eeb26e65c
 2018-07-06 13:35:20 +08:00
xuzhonghu bc8364d7ab Add String method to audit.Backend interface 
Kubernetes-commit: 416a478cf6e4ea2aaecf5108aade563c9fc3fc53
 2018-07-18 17:35:08 +08:00
Mikhail Mazurskiy 0f7bbcadfb Add missing error handling in schema-related code 
Kubernetes-commit: bfe313d5f351dfae086a85a97e7103183173e5b5
 2018-06-03 14:59:58 +10:00
xuzhonghu 895382e183 limit User-Agent max length 1024 and add ...TRUNCATED suffix 
Kubernetes-commit: f0b1f1c2f67877ddb2eceac5eb7c9c4ea22b4b6b
 2018-06-20 11:15:09 +08:00
xuzhonghu c739da1f02 logging user-agent in audit 
Kubernetes-commit: d066d547cce64a4f02bb05d718bc53fe71d06ad3
 2018-06-06 10:53:03 +08:00
Cao Shufeng 69b26e07a7 avoid duplicate status in audit events 
Fixes: https://github.com/kubernetes/kubernetes/issues/60108

Kubernetes-commit: 4d20c38c337525f8105969a582ce421f52d09c8e
 2018-04-25 10:13:51 +08:00
Kubernetes Publisher 627fa76a8b sync: initially remove files BUILD */BUILD BUILD.bazel */BUILD.bazel 2018-03-15 09:38:17 +00:00
Tim Allclair d89e8e9460 Fix default auditing options. 
- Log backend defaults to blocking mode (backwards compatability)
- Fix webhook validation
- Add options test

Kubernetes-commit: e004257919d779d56f27ad84c7f33799cc7ab580
 2018-03-02 15:16:37 -08:00
hzxuzhonghu 7fb69020af fix typo and remove inaccurate TODO 
Kubernetes-commit: d94925af8854031f1548466c655afd3119613785
 2018-02-23 09:27:37 +08:00
Jeff Grafton 1ab12b2dc8 Autogenerated: hack/update-bazel.sh 
Kubernetes-commit: ef56a8d6bb3800ab7803713eafc4191e8202ad6e
 2018-02-16 13:43:01 -08:00
Cao Shufeng 01b15f1056 fix invalid match rules for advanced audit policy 
When users or groups are set in a rule, this rule should not match
attribute with unauthorized request where user and group are nil.

Kubernetes-commit: 9a7acaae1d5015886cc7c3bc46fc3d973045dc2a
 2018-02-06 14:05:57 +08:00
hzxuzhonghu 5dc3326df1 add test case 
Kubernetes-commit: cc135e985ccde88ac662b33ef81dd71de3ad0520
 2017-11-08 16:20:16 +08:00
hzxuzhonghu a94f246093 audit support wildcard matching subresources 
Kubernetes-commit: 6e83d88be906c174ab3860eec70f2a4aec0ecb48
 2017-11-08 16:03:26 +08:00
Cao Shufeng d49980e0ed run hack/update-all.sh 
Kubernetes-commit: c512a078e92bcabcca01a83d0367aa8235562e12
 2018-01-26 10:32:48 +08:00
Cao Shufeng 8af8554968 add Annotations to audit event 
Kubernetes-commit: 97b0d99a33d71250bc7f967135c435e62343d9b8
 2018-01-08 12:00:33 +08:00
Cao Shufeng 2a2505e824 remove duplicated import 
Kubernetes-commit: 4e7398b67b12390486012dd6f9d708dd64f961f3
 2018-01-11 19:15:11 +08:00
Jeff Grafton c8a97ee31a Autogenerate BUILD files 
Kubernetes-commit: efee0704c60a2ee3049268a41535aaee7f661f6c
 2017-12-23 13:06:26 -08:00
Cao Shufeng d3301ca8d8 [advanced audit]add a policy wide omitStage 
Kubernetes-commit: d75c0f0e21af8229ed3147e9a798441221c03574
 2017-10-27 10:01:01 +08:00
Eric Chiang f3797a6c71 audit policy: reject audit policy files without apiVersion and kind 
Kubernetes-commit: fa40bc8f18f7c153910d048bbafefc430fe9bd11
 2017-10-19 17:27:29 -07:00
Jeff Grafton f4dbe23125 update BUILD files 
Kubernetes-commit: aee5f457dbfd70c2d15c33e392dce6a3ca710116
 2017-10-12 13:52:10 -07:00
Cao Shufeng f7e881914a support micro time for advanced audit 
Kubernetes-commit: 817bc6954ca9af02013fd8f492f8ef865c217b0d
 2017-09-25 11:56:30 +08:00
Kubernetes Publisher d7e7a0ab18 Update the test under audit policy 
Kubernetes-commit: ea1694eab1a1b251b31ce006cc48594a7eb05add
 2017-09-22 11:42:06 +00:00
Chao Wang 221a6a181e A policy with 0 rules should return an error 
Kubernetes-commit: 0ad4282fd0b31e1d12b711696efb134bdc2f83cc
 2017-09-09 21:44:32 +00:00
Cao Shufeng 4905dd9b0c Provide a way to omit Event stages in audit policy 
Updates https://github.com/kubernetes/kubernetes/issues/48561
This provide a way to omit some stages for each audit policy rule.

For example:
  apiVersion: audit.k8s.io/v1beta1
  kind: Policy
  - level: Metadata
    resources:
       - group: "rbac.authorization.k8s.io"
         resources: ["roles"]
    omitStages:
      - "RequestReceived"

RequestReceived stage will not be emitted to audit backends with
previous config.

Kubernetes-commit: 47ba91450fbe7d9002bfc9d4a48a73256252821f
 2017-09-04 14:03:48 +00:00
Cao Shufeng d781318aca audit real impersonated user info 
Log the newest impersonated user info in the second audit event. This
will help users to debug rbac problems.

Kubernetes-commit: 1c3dc52531b7761921c8855cafc58b669da111f1
 2017-09-03 14:04:13 +00:00
Maciej Szulik 677d724b3a Allow audit to log authorization failures 
Kubernetes-commit: 9fef244d4ccce0ea8daf37ab86a7af4892d000cf
 2017-09-03 14:04:12 +00:00
Cao Shufeng 9ab155429e Split APIVersion into APIGroup and APIVersion in audit events 
audit.Event.ObjectRef.APIVersion currently holds both the the API group and
version, separated by a /. This change break these out into separate fields.

This is part of:
https://github.com/kubernetes/kubernetes/issues/48561

Kubernetes-commit: c57eebfe2f8d36361d510f0afd926777a44cccd2
 2017-09-01 16:38:54 +00:00
Eric Chiang 1fa829c7c8 Audit policy v1beta1 now supports matching subresources and resource names. 
policy:
	- level: Metadata
	  resources:
	  - group: ""
	    resources ["pods/logs"]
	- level: None
	  resources:
	  - group: ""
	    resources: ["configmaps"]
	    resourceNames: ["controller-leader"]

The top level resource no longer matches the subresource. For example "pods"
no longer matches requests to the logs subresource on pods.

```release-note
Audit policy supports matching subresources and resource names, but the top level resource no longer matches the subresouce. For example "pods" no longer matches requests to the logs subresource of pods. Use "pods/logs" to match subresources.
```

Kubernetes-commit: 85491f1578b9b97751a332d3b957d874cecf27b3
 2017-09-01 16:38:01 +00:00
Cao Shufeng 24b54db39e run hack/update-all.sh 
Kubernetes-commit: 0410221c3fec1a54cde05104b92e44e13cddc77a
 2017-08-29 13:16:13 +00:00
Cao Shufeng 3468d049a7 upgrade advanced audit to v1beta1 
Kubernetes-commit: f4e8b8f1464e588306d5c1c4ffdc1a6cb1e9313b
 2017-08-29 13:16:13 +00:00
Mik Vyatskov 04aa1e08ec Implement batching audit webhook graceful shutdown 
Kubernetes-commit: 7798d32fc787d79da617914259d9285e558054f7
 2017-08-29 13:16:12 +00:00
Dr. Stefan Schimanski 86ef841256 apiservers: add synchronous shutdown mechanism on SIGTERM+INT 
Kubernetes-commit: 11b25366bc7bfe2ad273c8bf9c332fd9d233bffc
 2017-08-29 13:16:11 +00:00
Jeff Grafton 6c539a43c6 Use buildozer to delete licenses() rules except under third_party/ 
Kubernetes-commit: a7f49c906df816123e7d4ccbd4cebab411519465
 2017-08-29 13:15:24 +00:00
Jeff Grafton 6caa2933ae Use buildozer to remove deprecated automanaged tags 
Kubernetes-commit: 33276f06be5e872bf53ca62a095fcf0a6b6c11a8
 2017-08-29 13:15:24 +00:00
Jeff Grafton 44942b068a Run hack/update-bazel.sh to generate BUILD files 
Kubernetes-commit: 3579017b865ddbc5449d6bba87346f086e4b93ff
 2017-08-29 13:13:51 +00:00
Cao Shufeng d248b52a81 Fix Audit-ID header key 
Now http header key "Audit-ID" doesn't have effect, because golang
automaticly transforms "Audit-ID" into "Audit-Id". This change use
http.Header.Get() function to canonicalize "Audit-ID" to "Audit-Id".

Kubernetes-commit: f21bc7bb9a82378e8b24f72c66dfd23bc8113f20
 2017-07-06 23:56:07 +00:00
Cao Shufeng af4570c690 update events' ResponseStatus at Metadata level 
ResponseStatus is populated in MetadataLevel, so we also update it in
MetadataLevel.

Kubernetes-commit: b6abcacb38d5da7c70ea9f3e6f673c8beeb90092
 2017-07-04 08:39:44 +00:00
Tim St. Clair dc4be7ced9 s/count/total/ in audit prometheus metrics 
Kubernetes-commit: b34d6ab890d3d73b391a876125d1ea3141c54f1d
 2017-06-28 00:14:32 +00:00
Chao Xu 8be42ee0d0 run hack/update-all 
Kubernetes-commit: 60604f8818aecbc9c3736fbc32747cc0a535bc80
 2017-06-28 00:14:31 +00:00
Chao Xu 81b7aaaa7d run root-rewrite-import-client-go-api-types 
Kubernetes-commit: f2d3220a11111f86b2f481e70e3c1ca4f5896f44
 2017-06-28 00:14:31 +00:00
Tim St. Clair 64014c6e25 audit: Fill in full ObjectRef, include in LevelMetadata 
Kubernetes-commit: 28beb4572e676b9073f400fb6ccf2720381a41d0
 2017-06-14 20:44:08 +00:00
Cao Shufeng 9b573e7060 Remove extra empty lines from log 
remove extra "\n" from Everything()

Kubernetes-commit: 3816b6fde565720ac09177d30fb63d718dca8692
 2017-06-13 20:47:33 +00:00
Tim St. Clair 91a3addb8d Instrument advanced auditing 
Kubernetes-commit: b77c8198f002f9a9c7bdca11d28cac1710bbb185
 2017-06-13 20:47:30 +00:00
Cao Shufeng df4801fa4e empty audit policy file is legal configuration 
Empty audit policy file or policy file contains only comments means
using default audit level for all requests.

Kubernetes-commit: b6b2a30e830cc362c41ec1014ed9f3ef3535f93b
 2017-06-13 20:47:30 +00:00
Eric Chiang be1a712a68 apiserver: add a webhook implementation of the audit backend 
Kubernetes-commit: a88e0187f9f6083ed68d18e939a776c44c728e4b
 2017-06-13 20:47:30 +00:00
Dr. Stefan Schimanski 8b776edc46 audit: fill in sub-resource 
Kubernetes-commit: 019003b9266872f912b188708583141a34561007
 2017-06-13 20:47:29 +00:00
Tim St. Clair 8ff532a4cb Implement audit policy logic 
Kubernetes-commit: a5de309ee261aea15bb1cc12647b32640c2ac196
 2017-06-13 20:47:28 +00:00