From 1a1ca5173ea0f6b06a74d4a26e694cff521a2f8e Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Wed, 2 Nov 2022 15:23:48 -0700 Subject: [PATCH] Combine RequestAuditConfig with RequestAuditConfigWithLevel --- .../k8s.io/apiserver/pkg/audit/evaluator.go | 16 +++------- .../apiserver/pkg/audit/policy/checker.go | 32 ++++++++----------- .../apiserver/pkg/endpoints/filters/audit.go | 10 +++--- ...ericapiserver_graceful_termination_test.go | 7 ++-- test/integration/examples/webhook_test.go | 8 ++--- 5 files changed, 29 insertions(+), 44 deletions(-) diff --git a/staging/src/k8s.io/apiserver/pkg/audit/evaluator.go b/staging/src/k8s.io/apiserver/pkg/audit/evaluator.go index 93907dc5f33..f9664fef69c 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/evaluator.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/evaluator.go @@ -25,6 +25,9 @@ import ( // a given request. PolicyRuleEvaluator evaluates the audit policy against the // authorizer attributes and returns a RequestAuditConfig that applies to the request. type RequestAuditConfig struct { + // Level at which the request is being audited at + Level audit.Level + // OmitStages is the stages that need to be omitted from being audited. OmitStages []audit.Stage @@ -33,21 +36,10 @@ type RequestAuditConfig struct { OmitManagedFields bool } -// RequestAuditConfigWithLevel includes Level at which the request is being audited. -// PolicyRuleEvaluator evaluates the audit configuration for a request -// against the authorizer attributes and returns an RequestAuditConfigWithLevel -// that applies to the request. -type RequestAuditConfigWithLevel struct { - RequestAuditConfig - - // Level at which the request is being audited at - Level audit.Level -} - // PolicyRuleEvaluator exposes methods for evaluating the policy rules. type PolicyRuleEvaluator interface { // EvaluatePolicyRule evaluates the audit policy of the apiserver against // the given authorizer attributes and returns the audit configuration that // is applicable to the given equest. - EvaluatePolicyRule(authorizer.Attributes) RequestAuditConfigWithLevel + EvaluatePolicyRule(authorizer.Attributes) RequestAuditConfig } diff --git a/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go b/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go index 6a98ff4ac04..cd6ec92bc8a 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go @@ -61,25 +61,21 @@ type policyRuleEvaluator struct { audit.Policy } -func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel { +func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) auditinternal.RequestAuditConfig { for _, rule := range p.Rules { if ruleMatches(&rule, attrs) { - return auditinternal.RequestAuditConfigWithLevel{ - Level: rule.Level, - RequestAuditConfig: auditinternal.RequestAuditConfig{ - OmitStages: rule.OmitStages, - OmitManagedFields: isOmitManagedFields(&rule, p.OmitManagedFields), - }, + return auditinternal.RequestAuditConfig{ + Level: rule.Level, + OmitStages: rule.OmitStages, + OmitManagedFields: isOmitManagedFields(&rule, p.OmitManagedFields), } } } - return auditinternal.RequestAuditConfigWithLevel{ - Level: DefaultAuditLevel, - RequestAuditConfig: auditinternal.RequestAuditConfig{ - OmitStages: p.OmitStages, - OmitManagedFields: p.OmitManagedFields, - }, + return auditinternal.RequestAuditConfig{ + Level: DefaultAuditLevel, + OmitStages: p.OmitStages, + OmitManagedFields: p.OmitManagedFields, } } @@ -235,11 +231,9 @@ type fakePolicyRuleEvaluator struct { stage []audit.Stage } -func (f *fakePolicyRuleEvaluator) EvaluatePolicyRule(_ authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel { - return auditinternal.RequestAuditConfigWithLevel{ - Level: f.level, - RequestAuditConfig: auditinternal.RequestAuditConfig{ - OmitStages: f.stage, - }, +func (f *fakePolicyRuleEvaluator) EvaluatePolicyRule(_ authorizer.Attributes) auditinternal.RequestAuditConfig { + return auditinternal.RequestAuditConfig{ + Level: f.level, + OmitStages: f.stage, } } diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go index b310c94ee2a..ccb628b443e 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go @@ -133,10 +133,10 @@ func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRul return ac, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err) } - ls := policy.EvaluatePolicyRule(attribs) - audit.ObservePolicyLevel(ctx, ls.Level) - ac.RequestAuditConfig = ls.RequestAuditConfig - if ls.Level == auditinternal.LevelNone { + rac := policy.EvaluatePolicyRule(attribs) + audit.ObservePolicyLevel(ctx, rac.Level) + ac.RequestAuditConfig = rac + if rac.Level == auditinternal.LevelNone { // Don't audit. return ac, nil } @@ -145,7 +145,7 @@ func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRul if !ok { requestReceivedTimestamp = time.Now() } - ev, err := audit.NewEventFromRequest(req, requestReceivedTimestamp, ls.Level, attribs) + ev, err := audit.NewEventFromRequest(req, requestReceivedTimestamp, rac.Level, attribs) if err != nil { return nil, fmt.Errorf("failed to complete audit event from request: %v", err) } diff --git a/staging/src/k8s.io/apiserver/pkg/server/genericapiserver_graceful_termination_test.go b/staging/src/k8s.io/apiserver/pkg/server/genericapiserver_graceful_termination_test.go index c18ce70c4ea..373ce82d52d 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/genericapiserver_graceful_termination_test.go +++ b/staging/src/k8s.io/apiserver/pkg/server/genericapiserver_graceful_termination_test.go @@ -780,10 +780,9 @@ func (a *fakeAudit) requestAudited(auditID string) bool { return exists } -func (a *fakeAudit) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfigWithLevel { - return audit.RequestAuditConfigWithLevel{ - Level: auditinternal.LevelMetadata, - RequestAuditConfig: audit.RequestAuditConfig{}, +func (a *fakeAudit) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfig { + return audit.RequestAuditConfig{ + Level: auditinternal.LevelMetadata, } } diff --git a/test/integration/examples/webhook_test.go b/test/integration/examples/webhook_test.go index 07325f24f26..0c7f04be765 100644 --- a/test/integration/examples/webhook_test.go +++ b/test/integration/examples/webhook_test.go @@ -50,14 +50,14 @@ func TestWebhookLoopback(t *testing.T) { // Hook into audit to watch requests config.GenericConfig.AuditBackend = auditSinkFunc(func(events ...*auditinternal.Event) {}) - config.GenericConfig.AuditPolicyRuleEvaluator = auditPolicyRuleEvaluator(func(attrs authorizer.Attributes) audit.RequestAuditConfigWithLevel { + config.GenericConfig.AuditPolicyRuleEvaluator = auditPolicyRuleEvaluator(func(attrs authorizer.Attributes) audit.RequestAuditConfig { if attrs.GetPath() == webhookPath { if attrs.GetUser().GetName() != "system:apiserver" { t.Errorf("expected user %q, got %q", "system:apiserver", attrs.GetUser().GetName()) } atomic.AddInt32(&called, 1) } - return audit.RequestAuditConfigWithLevel{ + return audit.RequestAuditConfig{ Level: auditinternal.LevelNone, } }) @@ -107,9 +107,9 @@ func TestWebhookLoopback(t *testing.T) { } } -type auditPolicyRuleEvaluator func(authorizer.Attributes) audit.RequestAuditConfigWithLevel +type auditPolicyRuleEvaluator func(authorizer.Attributes) audit.RequestAuditConfig -func (f auditPolicyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfigWithLevel { +func (f auditPolicyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfig { return f(attrs) }