mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-20 10:20:51 +00:00
Combine RequestAuditConfig with RequestAuditConfigWithLevel
This commit is contained in:
parent
de95671f0c
commit
1a1ca5173e
@ -25,6 +25,9 @@ import (
|
|||||||
// a given request. PolicyRuleEvaluator evaluates the audit policy against the
|
// a given request. PolicyRuleEvaluator evaluates the audit policy against the
|
||||||
// authorizer attributes and returns a RequestAuditConfig that applies to the request.
|
// authorizer attributes and returns a RequestAuditConfig that applies to the request.
|
||||||
type RequestAuditConfig struct {
|
type RequestAuditConfig struct {
|
||||||
|
// Level at which the request is being audited at
|
||||||
|
Level audit.Level
|
||||||
|
|
||||||
// OmitStages is the stages that need to be omitted from being audited.
|
// OmitStages is the stages that need to be omitted from being audited.
|
||||||
OmitStages []audit.Stage
|
OmitStages []audit.Stage
|
||||||
|
|
||||||
@ -33,21 +36,10 @@ type RequestAuditConfig struct {
|
|||||||
OmitManagedFields bool
|
OmitManagedFields bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// RequestAuditConfigWithLevel includes Level at which the request is being audited.
|
|
||||||
// PolicyRuleEvaluator evaluates the audit configuration for a request
|
|
||||||
// against the authorizer attributes and returns an RequestAuditConfigWithLevel
|
|
||||||
// that applies to the request.
|
|
||||||
type RequestAuditConfigWithLevel struct {
|
|
||||||
RequestAuditConfig
|
|
||||||
|
|
||||||
// Level at which the request is being audited at
|
|
||||||
Level audit.Level
|
|
||||||
}
|
|
||||||
|
|
||||||
// PolicyRuleEvaluator exposes methods for evaluating the policy rules.
|
// PolicyRuleEvaluator exposes methods for evaluating the policy rules.
|
||||||
type PolicyRuleEvaluator interface {
|
type PolicyRuleEvaluator interface {
|
||||||
// EvaluatePolicyRule evaluates the audit policy of the apiserver against
|
// EvaluatePolicyRule evaluates the audit policy of the apiserver against
|
||||||
// the given authorizer attributes and returns the audit configuration that
|
// the given authorizer attributes and returns the audit configuration that
|
||||||
// is applicable to the given equest.
|
// is applicable to the given equest.
|
||||||
EvaluatePolicyRule(authorizer.Attributes) RequestAuditConfigWithLevel
|
EvaluatePolicyRule(authorizer.Attributes) RequestAuditConfig
|
||||||
}
|
}
|
||||||
|
@ -61,25 +61,21 @@ type policyRuleEvaluator struct {
|
|||||||
audit.Policy
|
audit.Policy
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel {
|
func (p *policyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) auditinternal.RequestAuditConfig {
|
||||||
for _, rule := range p.Rules {
|
for _, rule := range p.Rules {
|
||||||
if ruleMatches(&rule, attrs) {
|
if ruleMatches(&rule, attrs) {
|
||||||
return auditinternal.RequestAuditConfigWithLevel{
|
return auditinternal.RequestAuditConfig{
|
||||||
Level: rule.Level,
|
Level: rule.Level,
|
||||||
RequestAuditConfig: auditinternal.RequestAuditConfig{
|
|
||||||
OmitStages: rule.OmitStages,
|
OmitStages: rule.OmitStages,
|
||||||
OmitManagedFields: isOmitManagedFields(&rule, p.OmitManagedFields),
|
OmitManagedFields: isOmitManagedFields(&rule, p.OmitManagedFields),
|
||||||
},
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return auditinternal.RequestAuditConfigWithLevel{
|
return auditinternal.RequestAuditConfig{
|
||||||
Level: DefaultAuditLevel,
|
Level: DefaultAuditLevel,
|
||||||
RequestAuditConfig: auditinternal.RequestAuditConfig{
|
|
||||||
OmitStages: p.OmitStages,
|
OmitStages: p.OmitStages,
|
||||||
OmitManagedFields: p.OmitManagedFields,
|
OmitManagedFields: p.OmitManagedFields,
|
||||||
},
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -235,11 +231,9 @@ type fakePolicyRuleEvaluator struct {
|
|||||||
stage []audit.Stage
|
stage []audit.Stage
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *fakePolicyRuleEvaluator) EvaluatePolicyRule(_ authorizer.Attributes) auditinternal.RequestAuditConfigWithLevel {
|
func (f *fakePolicyRuleEvaluator) EvaluatePolicyRule(_ authorizer.Attributes) auditinternal.RequestAuditConfig {
|
||||||
return auditinternal.RequestAuditConfigWithLevel{
|
return auditinternal.RequestAuditConfig{
|
||||||
Level: f.level,
|
Level: f.level,
|
||||||
RequestAuditConfig: auditinternal.RequestAuditConfig{
|
|
||||||
OmitStages: f.stage,
|
OmitStages: f.stage,
|
||||||
},
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -133,10 +133,10 @@ func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRul
|
|||||||
return ac, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err)
|
return ac, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
ls := policy.EvaluatePolicyRule(attribs)
|
rac := policy.EvaluatePolicyRule(attribs)
|
||||||
audit.ObservePolicyLevel(ctx, ls.Level)
|
audit.ObservePolicyLevel(ctx, rac.Level)
|
||||||
ac.RequestAuditConfig = ls.RequestAuditConfig
|
ac.RequestAuditConfig = rac
|
||||||
if ls.Level == auditinternal.LevelNone {
|
if rac.Level == auditinternal.LevelNone {
|
||||||
// Don't audit.
|
// Don't audit.
|
||||||
return ac, nil
|
return ac, nil
|
||||||
}
|
}
|
||||||
@ -145,7 +145,7 @@ func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRul
|
|||||||
if !ok {
|
if !ok {
|
||||||
requestReceivedTimestamp = time.Now()
|
requestReceivedTimestamp = time.Now()
|
||||||
}
|
}
|
||||||
ev, err := audit.NewEventFromRequest(req, requestReceivedTimestamp, ls.Level, attribs)
|
ev, err := audit.NewEventFromRequest(req, requestReceivedTimestamp, rac.Level, attribs)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to complete audit event from request: %v", err)
|
return nil, fmt.Errorf("failed to complete audit event from request: %v", err)
|
||||||
}
|
}
|
||||||
|
@ -780,10 +780,9 @@ func (a *fakeAudit) requestAudited(auditID string) bool {
|
|||||||
return exists
|
return exists
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *fakeAudit) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfigWithLevel {
|
func (a *fakeAudit) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfig {
|
||||||
return audit.RequestAuditConfigWithLevel{
|
return audit.RequestAuditConfig{
|
||||||
Level: auditinternal.LevelMetadata,
|
Level: auditinternal.LevelMetadata,
|
||||||
RequestAuditConfig: audit.RequestAuditConfig{},
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -50,14 +50,14 @@ func TestWebhookLoopback(t *testing.T) {
|
|||||||
|
|
||||||
// Hook into audit to watch requests
|
// Hook into audit to watch requests
|
||||||
config.GenericConfig.AuditBackend = auditSinkFunc(func(events ...*auditinternal.Event) {})
|
config.GenericConfig.AuditBackend = auditSinkFunc(func(events ...*auditinternal.Event) {})
|
||||||
config.GenericConfig.AuditPolicyRuleEvaluator = auditPolicyRuleEvaluator(func(attrs authorizer.Attributes) audit.RequestAuditConfigWithLevel {
|
config.GenericConfig.AuditPolicyRuleEvaluator = auditPolicyRuleEvaluator(func(attrs authorizer.Attributes) audit.RequestAuditConfig {
|
||||||
if attrs.GetPath() == webhookPath {
|
if attrs.GetPath() == webhookPath {
|
||||||
if attrs.GetUser().GetName() != "system:apiserver" {
|
if attrs.GetUser().GetName() != "system:apiserver" {
|
||||||
t.Errorf("expected user %q, got %q", "system:apiserver", attrs.GetUser().GetName())
|
t.Errorf("expected user %q, got %q", "system:apiserver", attrs.GetUser().GetName())
|
||||||
}
|
}
|
||||||
atomic.AddInt32(&called, 1)
|
atomic.AddInt32(&called, 1)
|
||||||
}
|
}
|
||||||
return audit.RequestAuditConfigWithLevel{
|
return audit.RequestAuditConfig{
|
||||||
Level: auditinternal.LevelNone,
|
Level: auditinternal.LevelNone,
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
@ -107,9 +107,9 @@ func TestWebhookLoopback(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
type auditPolicyRuleEvaluator func(authorizer.Attributes) audit.RequestAuditConfigWithLevel
|
type auditPolicyRuleEvaluator func(authorizer.Attributes) audit.RequestAuditConfig
|
||||||
|
|
||||||
func (f auditPolicyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfigWithLevel {
|
func (f auditPolicyRuleEvaluator) EvaluatePolicyRule(attrs authorizer.Attributes) audit.RequestAuditConfig {
|
||||||
return f(attrs)
|
return f(attrs)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user