This change does three things:
1. use auditinternal for unit test in filter stage
2. add a seperate unit test for Audit-ID http header
3. add unit test for audit log backend
Kubernetes-commit: c030026b544da2dd7ef7201019bdc0ac255c2d23
Updates https://github.com/kubernetes/kubernetes/issues/48561
This provide a way to omit some stages for each audit policy rule.
For example:
apiVersion: audit.k8s.io/v1beta1
kind: Policy
- level: Metadata
resources:
- group: "rbac.authorization.k8s.io"
resources: ["roles"]
omitStages:
- "RequestReceived"
RequestReceived stage will not be emitted to audit backends with
previous config.
Kubernetes-commit: 47ba91450fbe7d9002bfc9d4a48a73256252821f
Log the newest impersonated user info in the second audit event. This
will help users to debug rbac problems.
Kubernetes-commit: 1c3dc52531b7761921c8855cafc58b669da111f1
Add a feature gate in the apiserver to control whether paging can be
used. Add controls to the storage factory that allow it to be disabled
per resource. Use a JSON encoded continuation token that can be
versioned. Create a 410 error if the continuation token is expired.
Adds GetContinue() to ListMeta.
Kubernetes-commit: 8952a0cb722b77459cf2701632a30f5b264f5aba
- InstallHandler is the public interface through which all interaction
occurs.
- It is good to know whether the default ping is occurring to know due
to manual installation or automatic installation.
- It is good to know how many handlers are installed to see whether
code changes are taking effect.
- It is good to know the names of the handlers that are installed to
make sure that a handler a user thinks is installed is being
installed at runtime.
- Print all the checkers once
Kubernetes-commit: efa66227d4fbcfad9fec21755b898f5d10d3344c
audit.Event.ObjectRef.APIVersion currently holds both the the API group and
version, separated by a /. This change break these out into separate fields.
This is part of:
https://github.com/kubernetes/kubernetes/issues/48561
Kubernetes-commit: c57eebfe2f8d36361d510f0afd926777a44cccd2
policy:
- level: Metadata
resources:
- group: ""
resources ["pods/logs"]
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
The top level resource no longer matches the subresource. For example "pods"
no longer matches requests to the logs subresource on pods.
```release-note
Audit policy supports matching subresources and resource names, but the top level resource no longer matches the subresouce. For example "pods" no longer matches requests to the logs subresource of pods. Use "pods/logs" to match subresources.
```
Kubernetes-commit: 85491f1578b9b97751a332d3b957d874cecf27b3
update feature gates for generic apiserver
Add apiextensions-apiserver features to golint_failures
Ignore alpha feature if gate is disabled
Kubernetes-commit: 6ba1523a8e36c3121a9e08bfac7b4f342bb8ccb3
Before this change:
# kubectl get pods --as=tom
Error from server (Forbidden): pods "" is forbidden: User "tom" cannot list pods in the namespace "default".
After this change:
# kubectl get pods --as=tom
Error from server (Forbidden): pods is forbidden: User "tom" cannot list pods in the namespace "default".
Kubernetes-commit: ab0918673728fc50fc539017c86bbc03fceb0adc
Decouple finalizer processing from garbage collection configuration.
Finalizers should be effective even when garbage collection is disabled
for a given store.
Fixes https://github.com/kubernetes/kubernetes/issues/50528.
Kubernetes-commit: ed5b5bb94e7c75f22a7fc302e47dade6c0d1662d
Simplifies usage and consolidate the error message so it is always
the same everywhere.
Signed-off-by: Simo Sorce <simo@redhat.com>
Kubernetes-commit: 15c54ffa7750c3037f464933c2b678a9a94cea82
This is an error import by me:
https://github.com/kubernetes/kubernetes/pull/49115
We need to fuzz other parts of Event with random value, otherwise
this round trip test will not make too much sense.
@sttts @ericchiang
Kubernetes-commit: f2ec610455f3756afebfcbd99c108abc86a5015d
Adding myself as a reviewer for the following areas:
- API
- auth
- registry
- storage (etcd)
Signed-off-by: Monis Khan <mkhan@redhat.com>
Kubernetes-commit: dd06794bc20ef1e0889af576c7a4f7a2f607e49d
Dr. Stefan Schimanski