fixes kubeadm 1221 to remove AuditPolicyConfiguration

Added conversion test and failure.

cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go

@@ -30,7 +30,6 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} {
 	return []interface{}{
 		fuzzInitConfiguration,
 		fuzzClusterConfiguration,
-		fuzzAuditPolicyConfiguration,
 		fuzzComponentConfigs,
 		fuzzNodeRegistration,
 		fuzzDNS,
@@ -55,10 +54,6 @@ func fuzzInitConfiguration(obj *kubeadm.InitConfiguration, c fuzz.Continue) {
 				Duration: constants.DefaultControlPlaneTimeout,
 			},
 		},
-		AuditPolicyConfiguration: kubeadm.AuditPolicyConfiguration{
-			LogDir:    constants.StaticPodAuditPolicyLogDir,
-			LogMaxAge: &v1beta1.DefaultAuditPolicyLogMaxAge,
-		},
 		DNS: kubeadm.DNS{
 			Type: kubeadm.CoreDNS,
 		},
@@ -118,14 +113,6 @@ func fuzzDNS(obj *kubeadm.DNS, c fuzz.Continue) {
 	obj.Type = kubeadm.CoreDNS
 }
 
-func fuzzAuditPolicyConfiguration(obj *kubeadm.AuditPolicyConfiguration, c fuzz.Continue) {
-	c.FuzzNoCustom(obj)
-
-	// Pinning values for fields that get defaults if fuzz value is empty string or nil (thus making the round trip test fail)
-	obj.LogDir = "foo"
-	obj.LogMaxAge = new(int32)
-}
-
 func fuzzComponentConfigs(obj *kubeadm.ComponentConfigs, c fuzz.Continue) {
 	// This is intentionally empty because component config does not exists in the public api
 	// (empty mean all ComponentConfigs fields nil, and this is necessary for getting roundtrip passing)

cmd/kubeadm/app/apis/kubeadm/types.go

@@ -115,9 +115,6 @@ type ClusterConfiguration struct {
 	// UseHyperKubeImage controls if hyperkube should be used for Kubernetes components instead of their respective separate images
 	UseHyperKubeImage bool
 
-	// AuditPolicyConfiguration defines the options for the api server audit system.
-	AuditPolicyConfiguration AuditPolicyConfiguration
-
 	// FeatureGates enabled by the user.
 	FeatureGates map[string]bool
 
@@ -418,17 +415,6 @@ type HostPathMount struct {
 	PathType v1.HostPathType
 }
 
-// AuditPolicyConfiguration holds the options for configuring the api server audit policy.
-type AuditPolicyConfiguration struct {
-	// Path is the local path to an audit policy.
-	Path string
-	// LogDir is the local path to the directory where logs should be stored.
-	LogDir string
-	// LogMaxAge is the number of days logs will be stored for. 0 indicates forever.
-	LogMaxAge *int32
-	//TODO(chuckha) add other options for audit policy.
-}
-
 // CommonConfiguration defines the list of common configuration elements and the getter
 // methods that must exist for both the InitConfiguration and JoinConfiguration objects.
 // This is used internally to deduplicate the kubeadm preflight checks.

cmd/kubeadm/app/apis/kubeadm/v1alpha3/conversion.go

@@ -129,6 +129,10 @@ func Convert_v1alpha3_ClusterConfiguration_To_kubeadm_ClusterConfiguration(in *C
 		return err
 	}
 
+	if len(in.AuditPolicyConfiguration.Path) > 0 {
+		return errors.New("AuditPolicyConfiguration has been removed from ClusterConfiguration. Please cleanup ClusterConfiguration.AuditPolicyConfiguration fields")
+	}
+
 	out.APIServer.ExtraArgs = in.APIServerExtraArgs
 	out.APIServer.CertSANs = in.APIServerCertSANs
 	out.APIServer.TimeoutForControlPlane = &metav1.Duration{

cmd/kubeadm/app/apis/kubeadm/v1alpha3/conversion_test.go

@@ -56,6 +56,35 @@ func TestJoinConfigurationConversion(t *testing.T) {
 	}
 }
 
+func TestInitConfigurationConversion(t *testing.T) {
+	testcases := map[string]struct {
+		old         *InitConfiguration
+		expectedErr bool
+	}{
+		"conversion succeeds": {
+			old:         &InitConfiguration{},
+			expectedErr: false,
+		},
+		"feature gates fails to be converted": {
+			old: &InitConfiguration{
+				ClusterConfiguration: ClusterConfiguration{
+					AuditPolicyConfiguration: AuditPolicyConfiguration{
+						Path: "test",
+					},
+				},
+			},
+			expectedErr: true,
+		},
+	}
+	for _, tc := range testcases {
+		internal := &kubeadm.InitConfiguration{}
+		err := Convert_v1alpha3_InitConfiguration_To_kubeadm_InitConfiguration(tc.old, internal, nil)
+		if (err != nil) != tc.expectedErr {
+			t.Errorf("no error was expected but '%s' was found", err)
+		}
+	}
+}
+
 func TestConvertToUseHyperKubeImage(t *testing.T) {
 	tests := []struct {
 		desc              string

cmd/kubeadm/app/apis/kubeadm/v1alpha3/zz_generated.conversion.go

@@ -47,16 +47,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*AuditPolicyConfiguration)(nil), (*kubeadm.AuditPolicyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(a.(*AuditPolicyConfiguration), b.(*kubeadm.AuditPolicyConfiguration), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*kubeadm.AuditPolicyConfiguration)(nil), (*AuditPolicyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(a.(*kubeadm.AuditPolicyConfiguration), b.(*AuditPolicyConfiguration), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*BootstrapToken)(nil), (*kubeadm.BootstrapToken)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha3_BootstrapToken_To_kubeadm_BootstrapToken(a.(*BootstrapToken), b.(*kubeadm.BootstrapToken), scope)
 	}); err != nil {
@@ -252,30 +242,6 @@ func Convert_kubeadm_APIEndpoint_To_v1alpha3_APIEndpoint(in *kubeadm.APIEndpoint
 	return autoConvert_kubeadm_APIEndpoint_To_v1alpha3_APIEndpoint(in, out, s)
 }
 
-func autoConvert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in *AuditPolicyConfiguration, out *kubeadm.AuditPolicyConfiguration, s conversion.Scope) error {
-	out.Path = in.Path
-	out.LogDir = in.LogDir
-	out.LogMaxAge = (*int32)(unsafe.Pointer(in.LogMaxAge))
-	return nil
-}
-
-// Convert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration is an autogenerated conversion function.
-func Convert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in *AuditPolicyConfiguration, out *kubeadm.AuditPolicyConfiguration, s conversion.Scope) error {
-	return autoConvert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in, out, s)
-}
-
-func autoConvert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(in *kubeadm.AuditPolicyConfiguration, out *AuditPolicyConfiguration, s conversion.Scope) error {
-	out.Path = in.Path
-	out.LogDir = in.LogDir
-	out.LogMaxAge = (*int32)(unsafe.Pointer(in.LogMaxAge))
-	return nil
-}
-
-// Convert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration is an autogenerated conversion function.
-func Convert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(in *kubeadm.AuditPolicyConfiguration, out *AuditPolicyConfiguration, s conversion.Scope) error {
-	return autoConvert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(in, out, s)
-}
-
 func autoConvert_v1alpha3_BootstrapToken_To_kubeadm_BootstrapToken(in *BootstrapToken, out *kubeadm.BootstrapToken, s conversion.Scope) error {
 	out.Token = (*kubeadm.BootstrapTokenString)(unsafe.Pointer(in.Token))
 	out.Description = in.Description
@@ -347,9 +313,7 @@ func autoConvert_v1alpha3_ClusterConfiguration_To_kubeadm_ClusterConfiguration(i
 	out.CertificatesDir = in.CertificatesDir
 	out.ImageRepository = in.ImageRepository
 	// WARNING: in.UnifiedControlPlaneImage requires manual conversion: does not exist in peer-type
-	if err := Convert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(&in.AuditPolicyConfiguration, &out.AuditPolicyConfiguration, s); err != nil {
+	// WARNING: in.AuditPolicyConfiguration requires manual conversion: does not exist in peer-type
-		return err
-	}
 	out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
 	out.ClusterName = in.ClusterName
 	return nil
@@ -373,9 +337,6 @@ func autoConvert_kubeadm_ClusterConfiguration_To_v1alpha3_ClusterConfiguration(i
 	out.ImageRepository = in.ImageRepository
 	// INFO: in.CIImageRepository opted out of conversion generation
 	// WARNING: in.UseHyperKubeImage requires manual conversion: does not exist in peer-type
-	if err := Convert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(&in.AuditPolicyConfiguration, &out.AuditPolicyConfiguration, s); err != nil {
-		return err
-	}
 	out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
 	out.ClusterName = in.ClusterName
 	return nil

cmd/kubeadm/app/apis/kubeadm/v1beta1/defaults.go

@@ -101,7 +101,6 @@ func SetDefaults_ClusterConfiguration(obj *ClusterConfiguration) {
 
 	SetDefaults_DNS(obj)
 	SetDefaults_Etcd(obj)
-	SetDefaults_AuditPolicyConfiguration(obj)
 	SetDefaults_APIServer(&obj.APIServer)
 }
 
@@ -184,16 +183,6 @@ func SetDefaults_FileDiscovery(obj *FileDiscovery) {
 	}
 }
 
-// SetDefaults_AuditPolicyConfiguration sets default values for the AuditPolicyConfiguration
-func SetDefaults_AuditPolicyConfiguration(obj *ClusterConfiguration) {
-	if obj.AuditPolicyConfiguration.LogDir == "" {
-		obj.AuditPolicyConfiguration.LogDir = constants.StaticPodAuditPolicyLogDir
-	}
-	if obj.AuditPolicyConfiguration.LogMaxAge == nil {
-		obj.AuditPolicyConfiguration.LogMaxAge = &DefaultAuditPolicyLogMaxAge
-	}
-}
-
 // SetDefaults_BootstrapTokens sets the defaults for the .BootstrapTokens field
 // If the slice is empty, it's defaulted with one token. Otherwise it just loops
 // through the slice and sets the defaults for the omitempty fields that are TTL,

cmd/kubeadm/app/apis/kubeadm/v1beta1/types.go

@@ -106,9 +106,6 @@ type ClusterConfiguration struct {
 	// UseHyperKubeImage controls if hyperkube should be used for Kubernetes components instead of their respective separate images
 	UseHyperKubeImage bool `json:"useHyperKubeImage,omitempty"`
 
-	// AuditPolicyConfiguration defines the options for the api server audit system
-	AuditPolicyConfiguration AuditPolicyConfiguration `json:"auditPolicy"`
-
 	// FeatureGates enabled by the user.
 	FeatureGates map[string]bool `json:"featureGates,omitempty"`
 
@@ -384,14 +381,3 @@ type HostPathMount struct {
 	// PathType is the type of the HostPath.
 	PathType v1.HostPathType `json:"pathType,omitempty"`
 }
-
-// AuditPolicyConfiguration holds the options for configuring the api server audit policy.
-type AuditPolicyConfiguration struct {
-	// Path is the local path to an audit policy.
-	Path string `json:"path"`
-	// LogDir is the local path to the directory where logs should be stored.
-	LogDir string `json:"logDir"`
-	// LogMaxAge is the number of days logs will be stored for. 0 indicates forever.
-	LogMaxAge *int32 `json:"logMaxAge,omitempty"`
-	//TODO(chuckha) add other options for audit policy.
-}

cmd/kubeadm/app/apis/kubeadm/v1beta1/zz_generated.conversion.go

@@ -57,16 +57,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*AuditPolicyConfiguration)(nil), (*kubeadm.AuditPolicyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(a.(*AuditPolicyConfiguration), b.(*kubeadm.AuditPolicyConfiguration), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*kubeadm.AuditPolicyConfiguration)(nil), (*AuditPolicyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(a.(*kubeadm.AuditPolicyConfiguration), b.(*AuditPolicyConfiguration), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*BootstrapToken)(nil), (*kubeadm.BootstrapToken)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1beta1_BootstrapToken_To_kubeadm_BootstrapToken(a.(*BootstrapToken), b.(*kubeadm.BootstrapToken), scope)
 	}); err != nil {
@@ -310,30 +300,6 @@ func Convert_kubeadm_APIServer_To_v1beta1_APIServer(in *kubeadm.APIServer, out *
 	return autoConvert_kubeadm_APIServer_To_v1beta1_APIServer(in, out, s)
 }
 
-func autoConvert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in *AuditPolicyConfiguration, out *kubeadm.AuditPolicyConfiguration, s conversion.Scope) error {
-	out.Path = in.Path
-	out.LogDir = in.LogDir
-	out.LogMaxAge = (*int32)(unsafe.Pointer(in.LogMaxAge))
-	return nil
-}
-
-// Convert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration is an autogenerated conversion function.
-func Convert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in *AuditPolicyConfiguration, out *kubeadm.AuditPolicyConfiguration, s conversion.Scope) error {
-	return autoConvert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in, out, s)
-}
-
-func autoConvert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(in *kubeadm.AuditPolicyConfiguration, out *AuditPolicyConfiguration, s conversion.Scope) error {
-	out.Path = in.Path
-	out.LogDir = in.LogDir
-	out.LogMaxAge = (*int32)(unsafe.Pointer(in.LogMaxAge))
-	return nil
-}
-
-// Convert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration is an autogenerated conversion function.
-func Convert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(in *kubeadm.AuditPolicyConfiguration, out *AuditPolicyConfiguration, s conversion.Scope) error {
-	return autoConvert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(in, out, s)
-}
-
 func autoConvert_v1beta1_BootstrapToken_To_kubeadm_BootstrapToken(in *BootstrapToken, out *kubeadm.BootstrapToken, s conversion.Scope) error {
 	out.Token = (*kubeadm.BootstrapTokenString)(unsafe.Pointer(in.Token))
 	out.Description = in.Description
@@ -436,9 +402,6 @@ func autoConvert_v1beta1_ClusterConfiguration_To_kubeadm_ClusterConfiguration(in
 	out.CertificatesDir = in.CertificatesDir
 	out.ImageRepository = in.ImageRepository
 	out.UseHyperKubeImage = in.UseHyperKubeImage
-	if err := Convert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(&in.AuditPolicyConfiguration, &out.AuditPolicyConfiguration, s); err != nil {
-		return err
-	}
 	out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
 	out.ClusterName = in.ClusterName
 	return nil
@@ -475,9 +438,6 @@ func autoConvert_kubeadm_ClusterConfiguration_To_v1beta1_ClusterConfiguration(in
 	out.ImageRepository = in.ImageRepository
 	// INFO: in.CIImageRepository opted out of conversion generation
 	out.UseHyperKubeImage = in.UseHyperKubeImage
-	if err := Convert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(&in.AuditPolicyConfiguration, &out.AuditPolicyConfiguration, s); err != nil {
-		return err
-	}
 	out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
 	out.ClusterName = in.ClusterName
 	return nil

cmd/kubeadm/app/apis/kubeadm/v1beta1/zz_generated.deepcopy.go

@@ -69,27 +69,6 @@ func (in *APIServer) DeepCopy() *APIServer {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AuditPolicyConfiguration) DeepCopyInto(out *AuditPolicyConfiguration) {
-	*out = *in
-	if in.LogMaxAge != nil {
-		in, out := &in.LogMaxAge, &out.LogMaxAge
-		*out = new(int32)
-		**out = **in
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditPolicyConfiguration.
-func (in *AuditPolicyConfiguration) DeepCopy() *AuditPolicyConfiguration {
-	if in == nil {
-		return nil
-	}
-	out := new(AuditPolicyConfiguration)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BootstrapToken) DeepCopyInto(out *BootstrapToken) {
 	*out = *in
@@ -177,7 +156,6 @@ func (in *ClusterConfiguration) DeepCopyInto(out *ClusterConfiguration) {
 	in.ControllerManager.DeepCopyInto(&out.ControllerManager)
 	in.Scheduler.DeepCopyInto(&out.Scheduler)
 	out.DNS = in.DNS
-	in.AuditPolicyConfiguration.DeepCopyInto(&out.AuditPolicyConfiguration)
 	if in.FeatureGates != nil {
 		in, out := &in.FeatureGates, &out.FeatureGates
 		*out = make(map[string]bool, len(*in))

cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go

@@ -71,27 +71,6 @@ func (in *APIServer) DeepCopy() *APIServer {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AuditPolicyConfiguration) DeepCopyInto(out *AuditPolicyConfiguration) {
-	*out = *in
-	if in.LogMaxAge != nil {
-		in, out := &in.LogMaxAge, &out.LogMaxAge
-		*out = new(int32)
-		**out = **in
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditPolicyConfiguration.
-func (in *AuditPolicyConfiguration) DeepCopy() *AuditPolicyConfiguration {
-	if in == nil {
-		return nil
-	}
-	out := new(AuditPolicyConfiguration)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BootstrapToken) DeepCopyInto(out *BootstrapToken) {
 	*out = *in
@@ -180,7 +159,6 @@ func (in *ClusterConfiguration) DeepCopyInto(out *ClusterConfiguration) {
 	in.ControllerManager.DeepCopyInto(&out.ControllerManager)
 	in.Scheduler.DeepCopyInto(&out.Scheduler)
 	out.DNS = in.DNS
-	in.AuditPolicyConfiguration.DeepCopyInto(&out.AuditPolicyConfiguration)
 	if in.FeatureGates != nil {
 		in, out := &in.FeatureGates, &out.FeatureGates
 		*out = make(map[string]bool, len(*in))

cmd/kubeadm/app/cmd/phases/BUILD

@@ -43,7 +43,6 @@ go_library(
         "//cmd/kubeadm/app/preflight:go_default_library",
         "//cmd/kubeadm/app/util:go_default_library",
         "//cmd/kubeadm/app/util/apiclient:go_default_library",
-        "//cmd/kubeadm/app/util/audit:go_default_library",
         "//cmd/kubeadm/app/util/config:go_default_library",
         "//cmd/kubeadm/app/util/dryrun:go_default_library",
         "//cmd/kubeadm/app/util/kubeconfig:go_default_library",

cmd/kubeadm/app/cmd/phases/controlplane.go

@@ -19,16 +19,11 @@ package phases
 import (
 	"errors"
 	"fmt"
-	"os"
-	"path/filepath"
-
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	"k8s.io/kubernetes/cmd/kubeadm/app/cmd/options"
 	"k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/workflow"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
-	"k8s.io/kubernetes/cmd/kubeadm/app/features"
 	"k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane"
-	auditutil "k8s.io/kubernetes/cmd/kubeadm/app/util/audit"
 	"k8s.io/kubernetes/pkg/util/normalizer"
 )
 
@@ -145,22 +140,6 @@ func runControlPlaneSubPhase(component string) func(c workflow.RunData) error {
 		}
 		cfg := data.Cfg()
 
-		// special case to handle audit policy for the API server
-		if component == kubeadmconstants.KubeAPIServer && features.Enabled(cfg.FeatureGates, features.Auditing) {
-			// Setup the AuditPolicy (either it was passed in and exists or it wasn't passed in and generate a default policy)
-			if cfg.AuditPolicyConfiguration.Path != "" {
-				// TODO(chuckha) ensure passed in audit policy is valid so users don't have to find the error in the api server log.
-				if _, err := os.Stat(cfg.AuditPolicyConfiguration.Path); err != nil {
-					return fmt.Errorf("error getting file info for audit policy file %q [%v]", cfg.AuditPolicyConfiguration.Path, err)
-				}
-			} else {
-				cfg.AuditPolicyConfiguration.Path = filepath.Join(data.KubeConfigDir(), kubeadmconstants.AuditPolicyDir, kubeadmconstants.AuditPolicyFile)
-				if err := auditutil.CreateDefaultAuditLogPolicy(cfg.AuditPolicyConfiguration.Path); err != nil {
-					return fmt.Errorf("error creating default audit policy %q [%v]", cfg.AuditPolicyConfiguration.Path, err)
-				}
-			}
-		}
-
 		fmt.Printf("[control-plane] Creating static Pod manifest for %q\n", component)
 		if err := controlplane.CreateStaticPodFiles(data.ManifestDir(), cfg, component); err != nil {
 			return err

cmd/kubeadm/app/cmd/upgrade/common_test.go

@@ -48,9 +48,6 @@ func TestPrintConfiguration(t *testing.T) {
 			expectedBytes: []byte(`[upgrade/config] Configuration used:
 	apiServer: {}
 	apiVersion: kubeadm.k8s.io/v1beta1
-	auditPolicy:
-	  logDir: ""
-	  path: ""
 	certificatesDir: ""
 	controlPlaneEndpoint: ""
 	controllerManager: {}
@@ -87,9 +84,6 @@ func TestPrintConfiguration(t *testing.T) {
 			expectedBytes: []byte(`[upgrade/config] Configuration used:
 	apiServer: {}
 	apiVersion: kubeadm.k8s.io/v1beta1
-	auditPolicy:
-	  logDir: ""
-	  path: ""
 	certificatesDir: ""
 	controlPlaneEndpoint: ""
 	controllerManager: {}

cmd/kubeadm/app/features/features.go

@@ -34,9 +34,6 @@ const (
 
 	// DynamicKubeletConfig is beta in v1.11
 	DynamicKubeletConfig = "DynamicKubeletConfig"
-
-	// Auditing is beta in 1.8
-	Auditing = "Auditing"
 )
 
 var coreDNSMessage = "featureGates:CoreDNS has been removed in v1.13\n" +
@@ -46,7 +43,6 @@ var coreDNSMessage = "featureGates:CoreDNS has been removed in v1.13\n" +
 var InitFeatureGates = FeatureList{
 	CoreDNS:              {FeatureSpec: utilfeature.FeatureSpec{Default: true, PreRelease: utilfeature.Deprecated}, HiddenInHelpText: true, DeprecationMessage: coreDNSMessage},
 	DynamicKubeletConfig: {FeatureSpec: utilfeature.FeatureSpec{Default: false, PreRelease: utilfeature.Beta}},
-	Auditing:             {FeatureSpec: utilfeature.FeatureSpec{Default: false, PreRelease: utilfeature.Alpha}},
 }
 
 // Feature represents a feature being gated

cmd/kubeadm/app/phases/controlplane/BUILD

@@ -23,7 +23,6 @@ go_test(
         "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/version:go_default_library",
-        "//vendor/k8s.io/utils/pointer:go_default_library",
     ],
 )
 
@@ -36,7 +35,6 @@ go_library(
     importpath = "k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane",
     deps = [
         "//cmd/kubeadm/app/apis/kubeadm:go_default_library",
-        "//cmd/kubeadm/app/apis/kubeadm/v1beta1:go_default_library",
         "//cmd/kubeadm/app/constants:go_default_library",
         "//cmd/kubeadm/app/features:go_default_library",
         "//cmd/kubeadm/app/images:go_default_library",

cmd/kubeadm/app/phases/controlplane/manifests.go

@@ -29,7 +29,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/klog"
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
-	kubeadmapiv1beta1 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta1"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/cmd/kubeadm/app/features"
 	"k8s.io/kubernetes/cmd/kubeadm/app/images"
@@ -179,15 +178,6 @@ func getAPIServerCommand(cfg *kubeadmapi.InitConfiguration) []string {
 		defaultArguments["feature-gates"] = "DynamicKubeletConfig=true"
 	}
 
-	if features.Enabled(cfg.FeatureGates, features.Auditing) {
-		defaultArguments["audit-policy-file"] = kubeadmconstants.GetStaticPodAuditPolicyFile()
-		defaultArguments["audit-log-path"] = filepath.Join(kubeadmconstants.StaticPodAuditPolicyLogDir, kubeadmconstants.AuditPolicyLogFile)
-		if cfg.AuditPolicyConfiguration.LogMaxAge == nil {
-			defaultArguments["audit-log-maxage"] = fmt.Sprintf("%d", kubeadmapiv1beta1.DefaultAuditPolicyLogMaxAge)
-		} else {
-			defaultArguments["audit-log-maxage"] = fmt.Sprintf("%d", *cfg.AuditPolicyConfiguration.LogMaxAge)
-		}
-	}
 	if cfg.APIServer.ExtraArgs == nil {
 		cfg.APIServer.ExtraArgs = map[string]string{}
 	}

cmd/kubeadm/app/phases/controlplane/manifests_test.go

@@ -34,7 +34,6 @@ import (
 	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 
 	testutil "k8s.io/kubernetes/cmd/kubeadm/test"
-	utilpointer "k8s.io/utils/pointer"
 )
 
 const (
@@ -189,11 +188,6 @@ func TestGetAPIServerCommand(t *testing.T) {
 				ClusterConfiguration: kubeadmapi.ClusterConfiguration{
 					Networking:      kubeadmapi.Networking{ServiceSubnet: "bar"},
 					CertificatesDir: testCertsDir,
-					AuditPolicyConfiguration: kubeadmapi.AuditPolicyConfiguration{
-						Path:      "/foo/bar",
-						LogDir:    "/foo/baz",
-						LogMaxAge: utilpointer.Int32Ptr(10),
-					},
 				},
 			},
 			expected: []string{
@@ -353,52 +347,6 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--etcd-servers=http://127.0.0.1:2379,http://127.0.0.1:2380",
 			},
 		},
-		{
-			name: "auditing is enabled with a custom log max age of 0",
-			cfg: &kubeadmapi.InitConfiguration{
-				LocalAPIEndpoint: kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "2001:db8::1"},
-				ClusterConfiguration: kubeadmapi.ClusterConfiguration{
-					Networking:      kubeadmapi.Networking{ServiceSubnet: "bar"},
-					FeatureGates:    map[string]bool{features.Auditing: true},
-					CertificatesDir: testCertsDir,
-					AuditPolicyConfiguration: kubeadmapi.AuditPolicyConfiguration{
-						LogMaxAge: utilpointer.Int32Ptr(0),
-					},
-				},
-			},
-			expected: []string{
-				"kube-apiserver",
-				"--insecure-port=0",
-				"--enable-admission-plugins=NodeRestriction",
-				"--service-cluster-ip-range=bar",
-				"--service-account-key-file=" + testCertsDir + "/sa.pub",
-				"--client-ca-file=" + testCertsDir + "/ca.crt",
-				"--tls-cert-file=" + testCertsDir + "/apiserver.crt",
-				"--tls-private-key-file=" + testCertsDir + "/apiserver.key",
-				"--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt",
-				"--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key",
-				fmt.Sprintf("--secure-port=%d", 123),
-				"--allow-privileged=true",
-				"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
-				"--enable-bootstrap-token-auth=true",
-				"--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
-				"--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
-				"--requestheader-username-headers=X-Remote-User",
-				"--requestheader-group-headers=X-Remote-Group",
-				"--requestheader-extra-headers-prefix=X-Remote-Extra-",
-				"--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
-				"--requestheader-allowed-names=front-proxy-client",
-				"--authorization-mode=Node,RBAC",
-				"--advertise-address=2001:db8::1",
-				fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
-				"--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
-				"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
-				"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
-				"--audit-policy-file=/etc/kubernetes/audit/audit.yaml",
-				"--audit-log-path=/var/log/kubernetes/audit/audit.log",
-				"--audit-log-maxage=0",
-			},
-		},
 		{
 			name: "ensure the DynamicKubelet flag gets passed through",
 			cfg: &kubeadmapi.InitConfiguration{
@@ -447,7 +395,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 				ClusterConfiguration: kubeadmapi.ClusterConfiguration{
 					Networking:      kubeadmapi.Networking{ServiceSubnet: "bar"},
 					CertificatesDir: testCertsDir,
-					FeatureGates:    map[string]bool{features.DynamicKubeletConfig: true, features.Auditing: true},
+					FeatureGates:    map[string]bool{features.DynamicKubeletConfig: true},
 					APIServer: kubeadmapi.APIServer{
 						ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
 							ExtraArgs: map[string]string{
@@ -491,7 +439,6 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--feature-gates=DynamicKubeletConfig=true",
 				"--audit-policy-file=/etc/config/audit.yaml",
 				"--audit-log-path=/var/log/kubernetes",
-				"--audit-log-maxage=2",
 			},
 		},
 		{

cmd/kubeadm/app/phases/controlplane/volumes.go

@@ -26,7 +26,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
-	"k8s.io/kubernetes/cmd/kubeadm/app/features"
 	staticpodutil "k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod"
 )
 
@@ -46,7 +45,6 @@ var caCertsExtraVolumePaths = []string{"/etc/pki", "/usr/share/ca-certificates",
 func getHostPathVolumesForTheControlPlane(cfg *kubeadmapi.InitConfiguration) controlPlaneHostPathMounts {
 	hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate
 	hostPathFileOrCreate := v1.HostPathFileOrCreate
-	hostPathFile := v1.HostPathFile
 	mounts := newControlPlaneHostPathMounts()
 
 	// HostPath volumes for the API Server
@@ -55,12 +53,7 @@ func getHostPathVolumesForTheControlPlane(cfg *kubeadmapi.InitConfiguration) con
 	mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeCertificatesVolumeName, cfg.CertificatesDir, cfg.CertificatesDir, true, &hostPathDirectoryOrCreate)
 	// Read-only mount for the ca certs (/etc/ssl/certs) directory
 	mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, caCertsVolumeName, caCertsVolumePath, caCertsVolumePath, true, &hostPathDirectoryOrCreate)
-	if features.Enabled(cfg.FeatureGates, features.Auditing) {
+
-		// Read-only mount for the audit policy file.
-		mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeAuditPolicyVolumeName, cfg.AuditPolicyConfiguration.Path, kubeadmconstants.GetStaticPodAuditPolicyFile(), true, &hostPathFile)
-		// Write mount for the audit logs.
-		mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeAuditPolicyLogVolumeName, cfg.AuditPolicyConfiguration.LogDir, kubeadmconstants.StaticPodAuditPolicyLogDir, false, &hostPathDirectoryOrCreate)
-	}
 	// If external etcd is specified, mount the directories needed for accessing the CA/serving certs and the private key
 	if cfg.Etcd.External != nil {
 		etcdVols, etcdVolMounts := getEtcdCertVolumes(cfg.Etcd.External, cfg.CertificatesDir)

cmd/kubeadm/app/phases/controlplane/volumes_test.go

@@ -26,7 +26,6 @@ import (
 	"k8s.io/api/core/v1"
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
-	"k8s.io/kubernetes/cmd/kubeadm/app/features"
 )
 
 func TestGetEtcdCertVolumes(t *testing.T) {
@@ -259,7 +258,6 @@ func TestGetEtcdCertVolumes(t *testing.T) {
 func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
 	hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate
 	hostPathFileOrCreate := v1.HostPathFileOrCreate
-	hostPathFile := v1.HostPathFile
 	volMap := make(map[string]map[string]v1.Volume)
 	volMap[kubeadmconstants.KubeAPIServer] = map[string]v1.Volume{}
 	volMap[kubeadmconstants.KubeAPIServer]["k8s-certs"] = v1.Volume{
@@ -280,24 +278,6 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
 			},
 		},
 	}
-	volMap[kubeadmconstants.KubeAPIServer]["audit"] = v1.Volume{
-		Name: "audit",
-		VolumeSource: v1.VolumeSource{
-			HostPath: &v1.HostPathVolumeSource{
-				Path: "/foo/bar/baz.yaml",
-				Type: &hostPathFile,
-			},
-		},
-	}
-	volMap[kubeadmconstants.KubeAPIServer]["audit-log"] = v1.Volume{
-		Name: "audit-log",
-		VolumeSource: v1.VolumeSource{
-			HostPath: &v1.HostPathVolumeSource{
-				Path: "/bar/foo",
-				Type: &hostPathDirectoryOrCreate,
-			},
-		},
-	}
 	volMap[kubeadmconstants.KubeControllerManager] = map[string]v1.Volume{}
 	volMap[kubeadmconstants.KubeControllerManager]["k8s-certs"] = v1.Volume{
 		Name: "k8s-certs",
@@ -348,16 +328,6 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
 		MountPath: "/etc/ssl/certs",
 		ReadOnly:  true,
 	}
-	volMountMap[kubeadmconstants.KubeAPIServer]["audit"] = v1.VolumeMount{
-		Name:      "audit",
-		MountPath: "/etc/kubernetes/audit/audit.yaml",
-		ReadOnly:  true,
-	}
-	volMountMap[kubeadmconstants.KubeAPIServer]["audit-log"] = v1.VolumeMount{
-		Name:      "audit-log",
-		MountPath: "/var/log/kubernetes/audit",
-		ReadOnly:  false,
-	}
 	volMountMap[kubeadmconstants.KubeControllerManager] = map[string]v1.VolumeMount{}
 	volMountMap[kubeadmconstants.KubeControllerManager]["k8s-certs"] = v1.VolumeMount{
 		Name:      "k8s-certs",
@@ -511,11 +481,6 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
 			cfg: &kubeadmapi.ClusterConfiguration{
 				CertificatesDir: testCertsDir,
 				Etcd:            kubeadmapi.Etcd{},
-				FeatureGates:    map[string]bool{features.Auditing: true},
-				AuditPolicyConfiguration: kubeadmapi.AuditPolicyConfiguration{
-					Path:   "/foo/bar/baz.yaml",
-					LogDir: "/bar/foo",
-				},
 			},
 			vol:      volMap,
 			volMount: volMountMap,

cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml

@@ -14,10 +14,6 @@ APIServer:
     PathType: ""
     ReadOnly: false
   TimeoutForControlPlane: 4m0s
-AuditPolicyConfiguration:
-  LogDir: /var/log/kubernetes/audit
-  LogMaxAge: 2
-  Path: ""
 BootstrapTokens:
 - Description: ""
   Expires: null

cmd/kubeadm/app/util/config/testdata/conversion/master/v1beta1.yaml

@@ -31,10 +31,6 @@ apiServer:
     name: WritableVolume
   timeoutForControlPlane: 4m0s
 apiVersion: kubeadm.k8s.io/v1beta1
-auditPolicy:
-  logDir: /var/log/kubernetes/audit
-  logMaxAge: 2
-  path: ""
 certificatesDir: /etc/kubernetes/pki
 clusterName: kubernetes
 controlPlaneEndpoint: ""

cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml

@@ -21,10 +21,6 @@ nodeRegistration:
 apiServer:
   timeoutForControlPlane: 4m0s
 apiVersion: kubeadm.k8s.io/v1beta1
-auditPolicy:
-  logDir: /var/log/kubernetes/audit
-  logMaxAge: 2
-  path: ""
 certificatesDir: /var/lib/kubernetes/pki
 clusterName: kubernetes
 controlPlaneEndpoint: ""