Update audit API with missing pieces

This commit is contained in:
Tim St. Clair 2017-05-18 17:14:03 -07:00
parent 8e07e61a43
commit 4c98cab4db
No known key found for this signature in database
GPG Key ID: 434D16BCEF479EAB
2 changed files with 63 additions and 5 deletions

View File

@ -22,6 +22,14 @@ import (
"k8s.io/apimachinery/pkg/types"
)
// Header keys used by the audit system.
const (
// Header to hold the audit ID as the request is propagated through the serving hierarchy. The
// Audit-ID header should be set by the first server to receive the request (e.g. the federation
// server or kube-aggregator).
HeaderAuditID = "Audit-ID"
)
// Level defines the amount of information logged during auditing
type Level string
@ -39,6 +47,22 @@ const (
LevelRequestResponse Level = "RequestResponse"
)
// Stage defines the stages in request handling that audit events may be generated.
type Stage string
// Valid audit stages.
const (
// The stage for events generated as soon as the audit handler receives the request, and before it
// is delegated down the handler chain.
StageRequestReceived = "RequestReceived"
// The stage for events generated once the response headers are sent, but before the response body
// is sent. This stage is only generated for long-running requests (e.g. watch).
StageResponseStarted = "ResponseStarted"
// The stage for events generated once the response body has been completed, and no more bytes
// will be sent.
StageResponseComplete = "ResponseComplete"
)
// Event captures all the information that can be included in an API audit log.
type Event struct {
metav1.TypeMeta
@ -53,6 +77,9 @@ type Event struct {
Timestamp metav1.Time
// Unique audit ID, generated for each request.
AuditID types.UID
// Stage of the request handling when this event instance was generated.
Stage Stage
// RequestURI is the request URI as sent by the client to a server.
RequestURI string
// Verb is the kubernetes verb associated with the request.
@ -81,12 +108,12 @@ type Event struct {
// merging. It is an external versioned object type, and may not be a valid object on its own.
// Omitted for non-resource requests. Only logged at Request Level and higher.
// +optional
RequestObject runtime.Unknown
RequestObject *runtime.Unknown
// API object returned in the response, in JSON. The ResponseObject is recorded after conversion
// to the external type, and serialized as JSON. Omitted for non-resource requests. Only logged
// at Response Level.
// +optional
ResponseObject runtime.Unknown
ResponseObject *runtime.Unknown
}
// EventList is a list of audit Events.
@ -191,6 +218,8 @@ type ObjectReference struct {
APIVersion string
// +optional
ResourceVersion string
// +optional
Subresource string
}
// UserInfo holds the information about the user needed to implement the

View File

@ -23,6 +23,14 @@ import (
authnv1 "k8s.io/client-go/pkg/apis/authentication/v1"
)
// Header keys used by the audit system.
const (
// Header to hold the audit ID as the request is propagated through the serving hierarchy. The
// Audit-ID header should be set by the first server to receive the request (e.g. the federation
// server or kube-aggregator).
HeaderAuditID = "Audit-ID"
)
// Level defines the amount of information logged during auditing
type Level string
@ -40,6 +48,22 @@ const (
LevelRequestResponse Level = "RequestResponse"
)
// Stage defines the stages in request handling that audit events may be generated.
type Stage string
// Valid audit stages.
const (
// The stage for events generated as soon as the audit handler receives the request, and before it
// is delegated down the handler chain.
StageRequestReceived = "RequestReceived"
// The stage for events generated once the response headers are sent, but before the response body
// is sent. This stage is only generated for long-running requests (e.g. watch).
StageResponseStarted = "ResponseStarted"
// The stage for events generated once the response body has been completed, and no more bytes
// will be sent.
StageResponseComplete = "ResponseComplete"
)
// Event captures all the information that can be included in an API audit log.
type Event struct {
metav1.TypeMeta `json:",inline"`
@ -53,7 +77,10 @@ type Event struct {
// Time the request reached the apiserver.
Timestamp metav1.Time `json:"timestamp"`
// Unique audit ID, generated for each request.
AuditID types.UID `json:"auditID,omitempty"`
AuditID types.UID `json:"auditID"`
// Stage of the request handling when this event instance was generated.
Stage Stage `json:"stage"`
// RequestURI is the request URI as sent by the client to a server.
RequestURI string `json:"requestURI"`
// Verb is the kubernetes verb associated with the request.
@ -82,12 +109,12 @@ type Event struct {
// merging. It is an external versioned object type, and may not be a valid object on its own.
// Omitted for non-resource requests. Only logged at Request Level and higher.
// +optional
RequestObject runtime.RawExtension `json:"requestObject,omitempty"`
RequestObject *runtime.Unknown `json:"requestObject,omitempty"`
// API object returned in the response, in JSON. The ResponseObject is recorded after conversion
// to the external type, and serialized as JSON. Omitted for non-resource requests. Only logged
// at Response Level.
// +optional
ResponseObject runtime.RawExtension `json:"responseObject,omitempty"`
ResponseObject *runtime.Unknown `json:"responseObject,omitempty"`
}
// EventList is a list of audit Events.
@ -192,4 +219,6 @@ type ObjectReference struct {
APIVersion string `json:"apiVersion,omitempty"`
// +optional
ResourceVersion string `json:"resourceVersion,omitempty"`
// +optional
Subresource string `json:"subresource,omitempty"`
}