mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-28 22:17:14 +00:00
Merge pull request #48184 from CaoShuFeng/impersonate_audit
Automatic merge from submit-queue (batch tested with PRs 51301, 50497, 50112, 48184, 50993) audit newest impersonated user info in the ResponseStarted, ResponseComplete audit stage Impersonation will automatically add system:authenticated, system:serviceaccounts group to the impersonated user info. This pr use the newest impersonated user info in the second audit event. This will help users to debug rbac problems. **Release note**: ``` [advanced audit] audit newest impersonated user info in the ResponseStarted, ResponseComplete audit stage ``` @liggitt @sttts
This commit is contained in:
Kubernetes Submit Queue
GitHub
commit
134b667d0a
@ -20,7 +20,6 @@ go_library(
|
|||||||
"//vendor/github.com/golang/glog:go_default_library",
|
"//vendor/github.com/golang/glog:go_default_library",
|
||||||
"//vendor/github.com/pborman/uuid:go_default_library",
|
"//vendor/github.com/pborman/uuid:go_default_library",
|
||||||
"//vendor/github.com/prometheus/client_golang/prometheus:go_default_library",
|
"//vendor/github.com/prometheus/client_golang/prometheus:go_default_library",
|
||||||
"//vendor/k8s.io/api/authentication/v1:go_default_library",
|
|
||||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||||
@ -31,6 +30,7 @@ go_library(
|
|||||||
"//vendor/k8s.io/apiserver/pkg/apis/audit:go_default_library",
|
"//vendor/k8s.io/apiserver/pkg/apis/audit:go_default_library",
|
||||||
"//vendor/k8s.io/apiserver/pkg/apis/audit/v1alpha1:go_default_library",
|
"//vendor/k8s.io/apiserver/pkg/apis/audit/v1alpha1:go_default_library",
|
||||||
"//vendor/k8s.io/apiserver/pkg/apis/audit/v1beta1:go_default_library",
|
"//vendor/k8s.io/apiserver/pkg/apis/audit/v1beta1:go_default_library",
|
||||||
|
"//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
|
||||||
"//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
|
"//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|||||||
@ -20,7 +20,6 @@ import (
|
|||||||
"bytes"
|
"bytes"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
@ -28,7 +27,6 @@ import (
|
|||||||
|
|
||||||
"reflect"
|
"reflect"
|
||||||
|
|
||||||
authenticationv1 "k8s.io/api/authentication/v1"
|
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
@ -36,6 +34,7 @@ import (
|
|||||||
utilnet "k8s.io/apimachinery/pkg/util/net"
|
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||||
"k8s.io/apiserver/pkg/apis/audit"
|
"k8s.io/apiserver/pkg/apis/audit"
|
||||||
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
||||||
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -73,24 +72,6 @@ func NewEventFromRequest(req *http.Request, level auditinternal.Level, attribs a
|
|||||||
ev.User.UID = user.GetUID()
|
ev.User.UID = user.GetUID()
|
||||||
}
|
}
|
||||||
|
|
||||||
if asuser := req.Header.Get(authenticationv1.ImpersonateUserHeader); len(asuser) > 0 {
|
|
||||||
ev.ImpersonatedUser = &auditinternal.UserInfo{
|
|
||||||
Username: asuser,
|
|
||||||
}
|
|
||||||
if requestedGroups := req.Header[authenticationv1.ImpersonateGroupHeader]; len(requestedGroups) > 0 {
|
|
||||||
ev.ImpersonatedUser.Groups = requestedGroups
|
|
||||||
}
|
|
||||||
|
|
||||||
ev.ImpersonatedUser.Extra = map[string]auditinternal.ExtraValue{}
|
|
||||||
for k, v := range req.Header {
|
|
||||||
if !strings.HasPrefix(k, authenticationv1.ImpersonateUserExtraHeaderPrefix) {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
k = k[len(authenticationv1.ImpersonateUserExtraHeaderPrefix):]
|
|
||||||
ev.ImpersonatedUser.Extra[k] = auditinternal.ExtraValue(v)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if attribs.IsResourceRequest() {
|
if attribs.IsResourceRequest() {
|
||||||
ev.ObjectRef = &auditinternal.ObjectReference{
|
ev.ObjectRef = &auditinternal.ObjectReference{
|
||||||
Namespace: attribs.GetNamespace(),
|
Namespace: attribs.GetNamespace(),
|
||||||
@ -105,6 +86,22 @@ func NewEventFromRequest(req *http.Request, level auditinternal.Level, attribs a
|
|||||||
return ev, nil
|
return ev, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// LogImpersonatedUser fills in the impersonated user attributes into an audit event.
|
||||||
|
func LogImpersonatedUser(ae *auditinternal.Event, user user.Info) {
|
||||||
|
if ae == nil || ae.Level.Less(audit.LevelMetadata) {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
ae.ImpersonatedUser = &auditinternal.UserInfo{
|
||||||
|
Username: user.GetName(),
|
||||||
|
}
|
||||||
|
ae.ImpersonatedUser.Groups = user.GetGroups()
|
||||||
|
ae.ImpersonatedUser.UID = user.GetUID()
|
||||||
|
ae.ImpersonatedUser.Extra = map[string]auditinternal.ExtraValue{}
|
||||||
|
for k, v := range user.GetExtra() {
|
||||||
|
ae.ImpersonatedUser.Extra[k] = auditinternal.ExtraValue(v)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// LogRequestObject fills in the request object into an audit event. The passed runtime.Object
|
// LogRequestObject fills in the request object into an audit event. The passed runtime.Object
|
||||||
// will be converted to the given gv.
|
// will be converted to the given gv.
|
||||||
func LogRequestObject(ae *audit.Event, obj runtime.Object, gvr schema.GroupVersionResource, subresource string, s runtime.NegotiatedSerializer) {
|
func LogRequestObject(ae *audit.Event, obj runtime.Object, gvr schema.GroupVersionResource, subresource string, s runtime.NegotiatedSerializer) {
|
||||||
|
|||||||
@ -27,6 +27,7 @@ import (
|
|||||||
authenticationv1 "k8s.io/api/authentication/v1"
|
authenticationv1 "k8s.io/api/authentication/v1"
|
||||||
"k8s.io/api/core/v1"
|
"k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
|
"k8s.io/apiserver/pkg/audit"
|
||||||
"k8s.io/apiserver/pkg/authentication/serviceaccount"
|
"k8s.io/apiserver/pkg/authentication/serviceaccount"
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||||
@ -133,6 +134,9 @@ func WithImpersonation(handler http.Handler, requestContextMapper request.Reques
|
|||||||
oldUser, _ := request.UserFrom(ctx)
|
oldUser, _ := request.UserFrom(ctx)
|
||||||
httplog.LogOf(req, w).Addf("%v is acting as %v", oldUser, newUser)
|
httplog.LogOf(req, w).Addf("%v is acting as %v", oldUser, newUser)
|
||||||
|
|
||||||
|
ae := request.AuditEventFrom(ctx)
|
||||||
|
audit.LogImpersonatedUser(ae, newUser)
|
||||||
|
|
||||||
// clear all the impersonation headers from the request
|
// clear all the impersonation headers from the request
|
||||||
req.Header.Del(authenticationv1.ImpersonateUserHeader)
|
req.Header.Del(authenticationv1.ImpersonateUserHeader)
|
||||||
req.Header.Del(authenticationv1.ImpersonateGroupHeader)
|
req.Header.Del(authenticationv1.ImpersonateGroupHeader)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user