mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #60056 from crassirostris/audit-version-switch
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make audit output version configurable. This is a re-make of https://github.com/kubernetes/kubernetes/pull/51786, taken over form @soltysh Copying from the previous PR: This is followup to https://github.com/kubernetes/kubernetes/pull/51719 to start the discussion how we want to solve the problem of users picking which version is being served them. We need to have an option for log and webhook, separately. Probably, for webhook backend with multiple destinations we'd like to send different version to each. This approach adds two flags (only the second commit matters), one for log and another for webhook (unfortunately global one). I've looked into kubeconfig types and although there are options to specify group and version they are meant for removal. @liggitt had some thoughts maybe he could share the ideas and we can pick it up here. @ericchiang @CaoShuFeng @sttts opinions, thoughts are more than welcome ```release-note Add apiserver configuration option to choose audit output version. ```
This commit is contained in:
commit
52ed0368f8
@ -61,6 +61,7 @@ func TestAddFlags(t *testing.T) {
|
||||
"--audit-log-batch-throttle-enable=true",
|
||||
"--audit-log-batch-throttle-qps=49.5",
|
||||
"--audit-log-batch-throttle-burst=50",
|
||||
"--audit-log-version=audit.k8s.io/v1alpha1",
|
||||
"--audit-policy-file=/policy",
|
||||
"--audit-webhook-config-file=/webhook-config",
|
||||
"--audit-webhook-mode=blocking",
|
||||
@ -71,6 +72,7 @@ func TestAddFlags(t *testing.T) {
|
||||
"--audit-webhook-batch-throttle-qps=43.5",
|
||||
"--audit-webhook-batch-throttle-burst=44",
|
||||
"--audit-webhook-initial-backoff=2s",
|
||||
"--audit-webhook-version=audit.k8s.io/v1alpha1",
|
||||
"--authentication-token-webhook-cache-ttl=3m",
|
||||
"--authentication-token-webhook-config-file=/token-webhook-config",
|
||||
"--authorization-mode=AlwaysDeny",
|
||||
@ -199,6 +201,7 @@ func TestAddFlags(t *testing.T) {
|
||||
ThrottleBurst: 50,
|
||||
},
|
||||
},
|
||||
GroupVersionString: "audit.k8s.io/v1alpha1",
|
||||
},
|
||||
WebhookOptions: apiserveroptions.AuditWebhookOptions{
|
||||
ConfigFile: "/webhook-config",
|
||||
@ -213,7 +216,8 @@ func TestAddFlags(t *testing.T) {
|
||||
ThrottleBurst: 44,
|
||||
},
|
||||
},
|
||||
InitialBackoff: 2 * time.Second,
|
||||
InitialBackoff: 2 * time.Second,
|
||||
GroupVersionString: "audit.k8s.io/v1alpha1",
|
||||
},
|
||||
PolicyFile: "/policy",
|
||||
},
|
||||
|
@ -39,6 +39,7 @@ go_library(
|
||||
"//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/apis/apiserver:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/apis/audit/v1alpha1:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/apis/audit/v1beta1:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/audit:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/audit/policy:go_default_library",
|
||||
|
@ -27,6 +27,8 @@ import (
|
||||
"github.com/spf13/pflag"
|
||||
"gopkg.in/natefinch/lumberjack.v2"
|
||||
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
auditv1alpha1 "k8s.io/apiserver/pkg/apis/audit/v1alpha1"
|
||||
auditv1beta1 "k8s.io/apiserver/pkg/apis/audit/v1beta1"
|
||||
"k8s.io/apiserver/pkg/audit"
|
||||
"k8s.io/apiserver/pkg/audit/policy"
|
||||
@ -98,6 +100,9 @@ type AuditLogOptions struct {
|
||||
Format string
|
||||
|
||||
BatchOptions AuditBatchOptions
|
||||
|
||||
// API group version used for serializing audit events.
|
||||
GroupVersionString string
|
||||
}
|
||||
|
||||
// AuditWebhookOptions control the webhook configuration for audit events.
|
||||
@ -106,6 +111,9 @@ type AuditWebhookOptions struct {
|
||||
InitialBackoff time.Duration
|
||||
|
||||
BatchOptions AuditBatchOptions
|
||||
|
||||
// API group version used for serializing audit events.
|
||||
GroupVersionString string
|
||||
}
|
||||
|
||||
func NewAuditOptions() *AuditOptions {
|
||||
@ -118,7 +126,8 @@ func NewAuditOptions() *AuditOptions {
|
||||
Mode: ModeBatch,
|
||||
BatchConfig: pluginbuffered.NewDefaultBatchConfig(),
|
||||
},
|
||||
InitialBackoff: pluginwebhook.DefaultInitialBackoff,
|
||||
InitialBackoff: pluginwebhook.DefaultInitialBackoff,
|
||||
GroupVersionString: "audit.k8s.io/v1beta1",
|
||||
},
|
||||
LogOptions: AuditLogOptions{
|
||||
Format: pluginlog.FormatJson,
|
||||
@ -126,6 +135,7 @@ func NewAuditOptions() *AuditOptions {
|
||||
Mode: ModeBlocking,
|
||||
BatchConfig: defaultLogBatchConfig,
|
||||
},
|
||||
GroupVersionString: "audit.k8s.io/v1beta1",
|
||||
},
|
||||
}
|
||||
}
|
||||
@ -186,6 +196,31 @@ func validateBackendBatchOptions(pluginName string, options AuditBatchOptions) e
|
||||
return nil
|
||||
}
|
||||
|
||||
var knownGroupVersions = []schema.GroupVersion{
|
||||
auditv1alpha1.SchemeGroupVersion,
|
||||
auditv1beta1.SchemeGroupVersion,
|
||||
}
|
||||
|
||||
func validateGroupVersionString(groupVersion string) error {
|
||||
gv, err := schema.ParseGroupVersion(groupVersion)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !knownGroupVersion(gv) {
|
||||
return fmt.Errorf("invalid group version, allowed versions are %q", knownGroupVersions)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func knownGroupVersion(gv schema.GroupVersion) bool {
|
||||
for _, knownGv := range knownGroupVersions {
|
||||
if gv == knownGv {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func (o *AuditOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
if o == nil {
|
||||
return
|
||||
@ -287,6 +322,8 @@ func (o *AuditLogOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
"Format of saved audits. \"legacy\" indicates 1-line text format for each event."+
|
||||
" \"json\" indicates structured json format. Requires the 'AdvancedAuditing' feature"+
|
||||
" gate. Known formats are "+strings.Join(pluginlog.AllowedFormats, ",")+".")
|
||||
fs.StringVar(&o.GroupVersionString, "audit-log-version", o.GroupVersionString,
|
||||
"API group and version used for serializing audit events written to log.")
|
||||
}
|
||||
|
||||
func (o *AuditLogOptions) Validate() []error {
|
||||
@ -301,6 +338,10 @@ func (o *AuditLogOptions) Validate() []error {
|
||||
allErrors = append(allErrors, err)
|
||||
}
|
||||
|
||||
if err := validateGroupVersionString(o.GroupVersionString); err != nil {
|
||||
allErrors = append(allErrors, err)
|
||||
}
|
||||
|
||||
// Check log format
|
||||
validFormat := false
|
||||
for _, f := range pluginlog.AllowedFormats {
|
||||
@ -352,7 +393,8 @@ func (o *AuditLogOptions) getWriter() io.Writer {
|
||||
|
||||
func (o *AuditLogOptions) advancedApplyTo(c *server.Config) error {
|
||||
if w := o.getWriter(); w != nil {
|
||||
log := pluginlog.NewBackend(w, o.Format, auditv1beta1.SchemeGroupVersion)
|
||||
groupVersion, _ := schema.ParseGroupVersion(o.GroupVersionString)
|
||||
log := pluginlog.NewBackend(w, o.Format, groupVersion)
|
||||
c.AuditBackend = appendBackend(c.AuditBackend, o.BatchOptions.wrapBackend(log))
|
||||
}
|
||||
return nil
|
||||
@ -373,6 +415,8 @@ func (o *AuditWebhookOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
o.InitialBackoff, "The amount of time to wait before retrying the first failed request.")
|
||||
fs.MarkDeprecated("audit-webhook-batch-initial-backoff",
|
||||
"Deprecated, use --audit-webhook-initial-backoff instead.")
|
||||
fs.StringVar(&o.GroupVersionString, "audit-webhook-version", o.GroupVersionString,
|
||||
"API group and version used for serializing audit events written to webhook.")
|
||||
}
|
||||
|
||||
func (o *AuditWebhookOptions) Validate() []error {
|
||||
@ -385,6 +429,10 @@ func (o *AuditWebhookOptions) Validate() []error {
|
||||
if err := validateBackendBatchOptions(pluginwebhook.PluginName, o.BatchOptions); err != nil {
|
||||
allErrors = append(allErrors, err)
|
||||
}
|
||||
|
||||
if err := validateGroupVersionString(o.GroupVersionString); err != nil {
|
||||
allErrors = append(allErrors, err)
|
||||
}
|
||||
}
|
||||
return allErrors
|
||||
}
|
||||
@ -398,7 +446,8 @@ func (o *AuditWebhookOptions) applyTo(c *server.Config) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
webhook, err := pluginwebhook.NewBackend(o.ConfigFile, auditv1beta1.SchemeGroupVersion, o.InitialBackoff)
|
||||
groupVersion, _ := schema.ParseGroupVersion(o.GroupVersionString)
|
||||
webhook, err := pluginwebhook.NewBackend(o.ConfigFile, groupVersion, o.InitialBackoff)
|
||||
if err != nil {
|
||||
return fmt.Errorf("initializing audit webhook: %v", err)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user