Update audit API with missing pieces

staging/src/k8s.io/apiserver/pkg/apis/audit/types.go

@@ -22,6 +22,14 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 )
 
+// Header keys used by the audit system.
+const (
+	// Header to hold the audit ID as the request is propagated through the serving hierarchy. The
+	// Audit-ID header should be set by the first server to receive the request (e.g. the federation
+	// server or kube-aggregator).
+	HeaderAuditID = "Audit-ID"
+)
+
 // Level defines the amount of information logged during auditing
 type Level string
 
@@ -39,6 +47,22 @@ const (
 	LevelRequestResponse Level = "RequestResponse"
 )
 
+// Stage defines the stages in request handling that audit events may be generated.
+type Stage string
+
+// Valid audit stages.
+const (
+	// The stage for events generated as soon as the audit handler receives the request, and before it
+	// is delegated down the handler chain.
+	StageRequestReceived = "RequestReceived"
+	// The stage for events generated once the response headers are sent, but before the response body
+	// is sent. This stage is only generated for long-running requests (e.g. watch).
+	StageResponseStarted = "ResponseStarted"
+	// The stage for events generated once the response body has been completed, and no more bytes
+	// will be sent.
+	StageResponseComplete = "ResponseComplete"
+)
+
 // Event captures all the information that can be included in an API audit log.
 type Event struct {
 	metav1.TypeMeta
@@ -53,6 +77,9 @@ type Event struct {
 	Timestamp metav1.Time
 	// Unique audit ID, generated for each request.
 	AuditID types.UID
+	// Stage of the request handling when this event instance was generated.
+	Stage Stage
+
 	// RequestURI is the request URI as sent by the client to a server.
 	RequestURI string
 	// Verb is the kubernetes verb associated with the request.
@@ -81,12 +108,12 @@ type Event struct {
 	// merging. It is an external versioned object type, and may not be a valid object on its own.
 	// Omitted for non-resource requests.  Only logged at Request Level and higher.
 	// +optional
-	RequestObject runtime.Unknown
+	RequestObject *runtime.Unknown
 	// API object returned in the response, in JSON. The ResponseObject is recorded after conversion
 	// to the external type, and serialized as JSON.  Omitted for non-resource requests.  Only logged
 	// at Response Level.
 	// +optional
-	ResponseObject runtime.Unknown
+	ResponseObject *runtime.Unknown
 }
 
 // EventList is a list of audit Events.
@@ -191,6 +218,8 @@ type ObjectReference struct {
 	APIVersion string
 	// +optional
 	ResourceVersion string
+	// +optional
+	Subresource string
 }
 
 // UserInfo holds the information about the user needed to implement the

staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go

@@ -23,6 +23,14 @@ import (
 	authnv1 "k8s.io/client-go/pkg/apis/authentication/v1"
 )
 
+// Header keys used by the audit system.
+const (
+	// Header to hold the audit ID as the request is propagated through the serving hierarchy. The
+	// Audit-ID header should be set by the first server to receive the request (e.g. the federation
+	// server or kube-aggregator).
+	HeaderAuditID = "Audit-ID"
+)
+
 // Level defines the amount of information logged during auditing
 type Level string
 
@@ -40,6 +48,22 @@ const (
 	LevelRequestResponse Level = "RequestResponse"
 )
 
+// Stage defines the stages in request handling that audit events may be generated.
+type Stage string
+
+// Valid audit stages.
+const (
+	// The stage for events generated as soon as the audit handler receives the request, and before it
+	// is delegated down the handler chain.
+	StageRequestReceived = "RequestReceived"
+	// The stage for events generated once the response headers are sent, but before the response body
+	// is sent. This stage is only generated for long-running requests (e.g. watch).
+	StageResponseStarted = "ResponseStarted"
+	// The stage for events generated once the response body has been completed, and no more bytes
+	// will be sent.
+	StageResponseComplete = "ResponseComplete"
+)
+
 // Event captures all the information that can be included in an API audit log.
 type Event struct {
 	metav1.TypeMeta `json:",inline"`
@@ -53,7 +77,10 @@ type Event struct {
 	// Time the request reached the apiserver.
 	Timestamp metav1.Time `json:"timestamp"`
 	// Unique audit ID, generated for each request.
-	AuditID types.UID `json:"auditID,omitempty"`
+	AuditID types.UID `json:"auditID"`
+	// Stage of the request handling when this event instance was generated.
+	Stage Stage `json:"stage"`
+
 	// RequestURI is the request URI as sent by the client to a server.
 	RequestURI string `json:"requestURI"`
 	// Verb is the kubernetes verb associated with the request.
@@ -82,12 +109,12 @@ type Event struct {
 	// merging. It is an external versioned object type, and may not be a valid object on its own.
 	// Omitted for non-resource requests.  Only logged at Request Level and higher.
 	// +optional
-	RequestObject runtime.RawExtension `json:"requestObject,omitempty"`
+	RequestObject *runtime.Unknown `json:"requestObject,omitempty"`
 	// API object returned in the response, in JSON. The ResponseObject is recorded after conversion
 	// to the external type, and serialized as JSON.  Omitted for non-resource requests.  Only logged
 	// at Response Level.
 	// +optional
-	ResponseObject runtime.RawExtension `json:"responseObject,omitempty"`
+	ResponseObject *runtime.Unknown `json:"responseObject,omitempty"`
 }
 
 // EventList is a list of audit Events.
@@ -192,4 +219,6 @@ type ObjectReference struct {
 	APIVersion string `json:"apiVersion,omitempty"`
 	// +optional
 	ResourceVersion string `json:"resourceVersion,omitempty"`
+	// +optional
+	Subresource string `json:"subresource,omitempty"`
 }