From cf8e3ccf1959942342ed0c10f6b43d46beb65e04 Mon Sep 17 00:00:00 2001 From: Cao Shufeng Date: Tue, 6 Jun 2017 19:31:29 +0800 Subject: [PATCH] Add Validate() function for audit options --- cmd/kube-apiserver/app/options/validation.go | 3 + hack/verify-flags/known-flags.txt | 1 + .../apiserver/pkg/server/options/audit.go | 58 +++++++++++++++---- 3 files changed, 50 insertions(+), 12 deletions(-) diff --git a/cmd/kube-apiserver/app/options/validation.go b/cmd/kube-apiserver/app/options/validation.go index 3a9bbbfea65..fb937bdf7db 100644 --- a/cmd/kube-apiserver/app/options/validation.go +++ b/cmd/kube-apiserver/app/options/validation.go @@ -63,6 +63,9 @@ func (options *ServerRunOptions) Validate() []error { if errs := options.Authentication.Validate(); len(errs) > 0 { errors = append(errors, errs...) } + if errs := options.Audit.Validate(); len(errs) > 0 { + errors = append(errors, errs...) + } if errs := options.InsecureServing.Validate("insecure-port"); len(errs) > 0 { errors = append(errors, errs...) } diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt index b504324bb95..5264757787c 100644 --- a/hack/verify-flags/known-flags.txt +++ b/hack/verify-flags/known-flags.txt @@ -46,6 +46,7 @@ audit-log-maxage audit-log-maxbackup audit-log-maxsize audit-log-path +audit-policy-file audit-webhook-config-file audit-webhook-mode authentication-kubeconfig diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/audit.go b/staging/src/k8s.io/apiserver/pkg/server/options/audit.go index b5f310af041..d1421e66dd1 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/audit.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/audit.go @@ -81,6 +81,33 @@ func NewAuditOptions() *AuditOptions { } } +// Validate checks invalid config combination +func (o *AuditOptions) Validate() []error { + allErrors := []error{} + + if !advancedAuditingEnabled() { + if len(o.PolicyFile) > 0 { + allErrors = append(allErrors, fmt.Errorf("feature '%s' must be enabled to set option --audit-policy-file", features.AdvancedAuditing)) + } + if len(o.WebhookOptions.ConfigFile) > 0 { + allErrors = append(allErrors, fmt.Errorf("feature '%s' must be enabled to set option --audit-webhook-config-file", features.AdvancedAuditing)) + } + } else { + // check webhook mode + validMode := false + for _, m := range pluginwebhook.AllowedModes { + if m == o.WebhookOptions.Mode { + validMode = true + break + } + } + if !validMode { + allErrors = append(allErrors, fmt.Errorf("invalid audit webhook mode %s, allowed modes are %q", o.WebhookOptions.Mode, strings.Join(pluginwebhook.AllowedModes, ","))) + } + } + return allErrors +} + func (o *AuditOptions) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&o.PolicyFile, "audit-policy-file", o.PolicyFile, "Path to the file that defines the audit policy configuration. Requires the 'AdvancedAuditing' feature gate."+ @@ -91,13 +118,19 @@ func (o *AuditOptions) AddFlags(fs *pflag.FlagSet) { } func (o *AuditOptions) ApplyTo(c *server.Config) error { - // Apply generic options. + // Apply legacy audit options if advanced audit is not enabled. + if !advancedAuditingEnabled() { + return o.LogOptions.legacyApplyTo(c) + } + + // Apply advanced options if advanced audit is enabled. + // 1. Apply generic options. if err := o.applyTo(c); err != nil { return err } - // Apply plugin options. - if err := o.LogOptions.applyTo(c); err != nil { + // 2. Apply plugin options. + if err := o.LogOptions.advancedApplyTo(c); err != nil { return err } if err := o.WebhookOptions.applyTo(c); err != nil { @@ -111,9 +144,6 @@ func (o *AuditOptions) applyTo(c *server.Config) error { return nil } - if !advancedAuditingEnabled() { - return fmt.Errorf("feature '%s' must be enabled to set an audit policy", features.AdvancedAuditing) - } p, err := policy.LoadPolicyFromFile(o.PolicyFile) if err != nil { return fmt.Errorf("loading audit policy file: %v", err) @@ -133,7 +163,7 @@ func (o *AuditLogOptions) AddFlags(fs *pflag.FlagSet) { "The maximum size in megabytes of the audit log file before it gets rotated.") } -func (o *AuditLogOptions) applyTo(c *server.Config) error { +func (o *AuditLogOptions) getWriter() io.Writer { if o.Path == "" { return nil } @@ -147,14 +177,21 @@ func (o *AuditLogOptions) applyTo(c *server.Config) error { MaxSize: o.MaxSize, } } - c.LegacyAuditWriter = w + return w +} - if advancedAuditingEnabled() { +func (o *AuditLogOptions) advancedApplyTo(c *server.Config) error { + if w := o.getWriter(); w != nil { c.AuditBackend = appendBackend(c.AuditBackend, pluginlog.NewBackend(w)) } return nil } +func (o *AuditLogOptions) legacyApplyTo(c *server.Config) error { + c.LegacyAuditWriter = o.getWriter() + return nil +} + func (o *AuditWebhookOptions) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&o.ConfigFile, "audit-webhook-config-file", o.ConfigFile, "Path to a kubeconfig formatted file that defines the audit webhook configuration."+ @@ -170,9 +207,6 @@ func (o *AuditWebhookOptions) applyTo(c *server.Config) error { return nil } - if !advancedAuditingEnabled() { - return fmt.Errorf("feature '%s' must be enabled to set an audit webhook", features.AdvancedAuditing) - } webhook, err := pluginwebhook.NewBackend(o.ConfigFile, o.Mode) if err != nil { return fmt.Errorf("initializing audit webhook: %v", err)