From 329f7d55d1344f728e28ce49728234f9f8f4c5d3 Mon Sep 17 00:00:00 2001
From: njuptlzf
Date: Mon, 17 May 2021 02:31:08 +0800
Subject: [PATCH] Fix auditing failed of request: encoding failed
---
staging/src/k8s.io/apiserver/pkg/audit/request.go | 4 ++--
.../k8s.io/apiserver/pkg/endpoints/handlers/create.go | 3 ++-
.../k8s.io/apiserver/pkg/endpoints/handlers/delete.go | 11 +++++++----
.../k8s.io/apiserver/pkg/endpoints/handlers/update.go | 3 ++-
4 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/staging/src/k8s.io/apiserver/pkg/audit/request.go b/staging/src/k8s.io/apiserver/pkg/audit/request.go
index 960ec93211f..593df6f9575 100644
--- a/staging/src/k8s.io/apiserver/pkg/audit/request.go
+++ b/staging/src/k8s.io/apiserver/pkg/audit/request.go
@@ -111,7 +111,7 @@ func LogImpersonatedUser(ae *auditinternal.Event, user user.Info) {
// LogRequestObject fills in the request object into an audit event. The passed runtime.Object
// will be converted to the given gv.
-func LogRequestObject(ae *auditinternal.Event, obj runtime.Object, gvr schema.GroupVersionResource, subresource string, s runtime.NegotiatedSerializer) {
+func LogRequestObject(ae *auditinternal.Event, obj runtime.Object, objectGV schema.GroupVersion, gvr schema.GroupVersionResource, subresource string, s runtime.NegotiatedSerializer) {
if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) {
return
}
@@ -153,7 +153,7 @@ func LogRequestObject(ae *auditinternal.Event, obj runtime.Object, gvr schema.Gr
// TODO(audit): hook into the serializer to avoid double conversion
var err error
- ae.RequestObject, err = encodeObject(obj, gvr.GroupVersion(), s)
+ ae.RequestObject, err = encodeObject(obj, objectGV, s)
if err != nil {
// TODO(audit): add error slice to audit event struct
klog.Warningf("Auditing failed of %v request: %v", reflect.TypeOf(obj).Name(), err)
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/create.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/create.go
index d6f8025e39a..9ec83700107 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/create.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/create.go
@@ -141,7 +141,8 @@ func createHandler(r rest.NamedCreater, scope *RequestScope, admit admission.Int
ae := request.AuditEventFrom(ctx)
admit = admission.WithAudit(admit, ae)
- audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer)
+ objGV := schema.GroupVersion{Group: gvk.Group, Version: gvk.Version}
+ audit.LogRequestObject(ae, obj, objGV, scope.Resource, scope.Subresource, scope.Serializer)
userInfo, _ := request.UserFrom(ctx)
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go
index c1a1fc987ee..c10eee09c6d 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go
@@ -92,7 +92,7 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope *RequestSc
// For backwards compatibility, we need to allow existing clients to submit per group DeleteOptions
// It is also allowed to pass a body with meta.k8s.io/v1.DeleteOptions
defaultGVK := scope.MetaGroupVersion.WithKind("DeleteOptions")
- obj, _, err := metainternalversionscheme.Codecs.DecoderToVersion(s.Serializer, defaultGVK.GroupVersion()).Decode(body, &defaultGVK, options)
+ obj, gvk, err := metainternalversionscheme.Codecs.DecoderToVersion(s.Serializer, defaultGVK.GroupVersion()).Decode(body, &defaultGVK, options)
if err != nil {
scope.err(err, w, req)
return
@@ -104,7 +104,8 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope *RequestSc
trace.Step("Decoded delete options")
ae := request.AuditEventFrom(ctx)
- audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer)
+ objGV := schema.GroupVersion{Group: gvk.Group, Version: gvk.Version}
+ audit.LogRequestObject(ae, obj, objGV, scope.Resource, scope.Subresource, scope.Serializer)
trace.Step("Recorded the audit event")
} else {
if err := metainternalversionscheme.ParameterCodec.DecodeParameters(req.URL.Query(), scope.MetaGroupVersion, options); err != nil {
@@ -144,6 +145,7 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope *RequestSc
// Other cases where resource is not instantly deleted are: namespace deletion
// and pod graceful deletion.
//lint:ignore SA1019 backwards compatibility
+ //nolint: staticcheck
if !wasDeleted && options.OrphanDependents != nil && !*options.OrphanDependents {
status = http.StatusAccepted
}
@@ -238,7 +240,7 @@ func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope *RequestSc
// For backwards compatibility, we need to allow existing clients to submit per group DeleteOptions
// It is also allowed to pass a body with meta.k8s.io/v1.DeleteOptions
defaultGVK := scope.Kind.GroupVersion().WithKind("DeleteOptions")
- obj, _, err := scope.Serializer.DecoderToVersion(s.Serializer, defaultGVK.GroupVersion()).Decode(body, &defaultGVK, options)
+ obj, gvk, err := scope.Serializer.DecoderToVersion(s.Serializer, defaultGVK.GroupVersion()).Decode(body, &defaultGVK, options)
if err != nil {
scope.err(err, w, req)
return
@@ -249,7 +251,8 @@ func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope *RequestSc
}
ae := request.AuditEventFrom(ctx)
- audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer)
+ objGV := schema.GroupVersion{Group: gvk.Group, Version: gvk.Version}
+ audit.LogRequestObject(ae, obj, objGV, scope.Resource, scope.Subresource, scope.Serializer)
} else {
if err := metainternalversionscheme.ParameterCodec.DecodeParameters(req.URL.Query(), scope.MetaGroupVersion, options); err != nil {
err = errors.NewBadRequest(err.Error())
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/update.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/update.go
index ceae03eee39..fa570c95ed5 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/update.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/update.go
@@ -118,7 +118,8 @@ func UpdateResource(r rest.Updater, scope *RequestScope, admit admission.Interfa
trace.Step("Conversion done")
ae := request.AuditEventFrom(ctx)
- audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer)
+ objGV := schema.GroupVersion{Group: gvk.Group, Version: gvk.Version}
+ audit.LogRequestObject(ae, obj, objGV, scope.Resource, scope.Subresource, scope.Serializer)
admit = admission.WithAudit(admit, ae)
if err := checkName(obj, name, namespace, scope.Namer); err != nil {