diff --git a/pkg/apis/imagepolicy/types.go b/pkg/apis/imagepolicy/types.go index a0523343b43..834ce02edbd 100644 --- a/pkg/apis/imagepolicy/types.go +++ b/pkg/apis/imagepolicy/types.go @@ -56,7 +56,7 @@ type ImageReviewContainerSpec struct { // In future, we may add command line overrides, exec health check command lines, and so on. } -// ImageReviewStatus is the result of the token authentication request. +// ImageReviewStatus is the result of the review for the pod creation request. type ImageReviewStatus struct { // Allowed indicates that all images were allowed to be run. Allowed bool @@ -64,4 +64,9 @@ type ImageReviewStatus struct { // may contain a short description of what is wrong. Kubernetes // may truncate excessively long errors when displaying to the user. Reason string + // AuditAnnotations will be added to the attributes object of the + // admission controller request using 'AddAnnotation'. The keys should + // be prefix-less (i.e., the admission controller will add an + // appropriate prefix). + AuditAnnotations map[string]string } diff --git a/pkg/apis/imagepolicy/v1alpha1/zz_generated.conversion.go b/pkg/apis/imagepolicy/v1alpha1/zz_generated.conversion.go index f0795ec3bb4..4e01b334b71 100644 --- a/pkg/apis/imagepolicy/v1alpha1/zz_generated.conversion.go +++ b/pkg/apis/imagepolicy/v1alpha1/zz_generated.conversion.go @@ -158,6 +158,7 @@ func Convert_imagepolicy_ImageReviewSpec_To_v1alpha1_ImageReviewSpec(in *imagepo func autoConvert_v1alpha1_ImageReviewStatus_To_imagepolicy_ImageReviewStatus(in *v1alpha1.ImageReviewStatus, out *imagepolicy.ImageReviewStatus, s conversion.Scope) error { out.Allowed = in.Allowed out.Reason = in.Reason + out.AuditAnnotations = *(*map[string]string)(unsafe.Pointer(&in.AuditAnnotations)) return nil } @@ -169,6 +170,7 @@ func Convert_v1alpha1_ImageReviewStatus_To_imagepolicy_ImageReviewStatus(in *v1a func autoConvert_imagepolicy_ImageReviewStatus_To_v1alpha1_ImageReviewStatus(in *imagepolicy.ImageReviewStatus, out *v1alpha1.ImageReviewStatus, s conversion.Scope) error { out.Allowed = in.Allowed out.Reason = in.Reason + out.AuditAnnotations = *(*map[string]string)(unsafe.Pointer(&in.AuditAnnotations)) return nil } diff --git a/pkg/apis/imagepolicy/zz_generated.deepcopy.go b/pkg/apis/imagepolicy/zz_generated.deepcopy.go index bd69648e498..4ba16c9e121 100644 --- a/pkg/apis/imagepolicy/zz_generated.deepcopy.go +++ b/pkg/apis/imagepolicy/zz_generated.deepcopy.go @@ -30,7 +30,7 @@ func (in *ImageReview) DeepCopyInto(out *ImageReview) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) return } @@ -99,6 +99,13 @@ func (in *ImageReviewSpec) DeepCopy() *ImageReviewSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageReviewStatus) DeepCopyInto(out *ImageReviewStatus) { *out = *in + if in.AuditAnnotations != nil { + in, out := &in.AuditAnnotations, &out.AuditAnnotations + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } return } diff --git a/plugin/pkg/admission/imagepolicy/admission.go b/plugin/pkg/admission/imagepolicy/admission.go index 76b53c8bb57..e37d272bfa1 100644 --- a/plugin/pkg/admission/imagepolicy/admission.go +++ b/plugin/pkg/admission/imagepolicy/admission.go @@ -46,6 +46,21 @@ import ( // PluginName indicates name of admission plugin. const PluginName = "ImagePolicyWebhook" +// AuditKeyPrefix is used as the prefix for all audit keys handled by this +// pluggin. Some well known suffixes are listed below. +var AuditKeyPrefix = strings.ToLower(PluginName) + ".image-policy.k8s.io/" + +const ( + // ImagePolicyFailedOpenKeySuffix in an annotation indicates the image + // review failed open when the image policy webhook backend connection + // failed. + ImagePolicyFailedOpenKeySuffix string = "failed-open" + + // ImagePolicyAuditRequiredKeySuffix in an annotation indicates the pod + // should be audited. + ImagePolicyAuditRequiredKeySuffix string = "audit-required" +) + var ( groupVersions = []schema.GroupVersion{v1alpha1.SchemeGroupVersion} ) @@ -97,12 +112,15 @@ func (a *Plugin) webhookError(pod *api.Pod, attributes admission.Attributes, err if err != nil { glog.V(2).Infof("error contacting webhook backend: %s", err) if a.defaultAllow { + attributes.AddAnnotation(AuditKeyPrefix+ImagePolicyFailedOpenKeySuffix, "true") + // TODO(wteiken): Remove the annotation code for the 1.13 release annotations := pod.GetAnnotations() if annotations == nil { annotations = make(map[string]string) } annotations[api.ImagePolicyFailedOpenKey] = "true" pod.ObjectMeta.SetAnnotations(annotations) + glog.V(2).Infof("resource allowed in spite of webhook backend failure") return nil } @@ -174,13 +192,17 @@ func (a *Plugin) admitPod(pod *api.Pod, attributes admission.Attributes, review a.responseCache.Add(string(cacheKey), review.Status, a.statusTTL(review.Status)) } + for k, v := range review.Status.AuditAnnotations { + if err := attributes.AddAnnotation(AuditKeyPrefix+k, v); err != nil { + glog.Warningf("failed to set admission audit annotation %s to %s: %v", AuditKeyPrefix+k, v, err) + } + } if !review.Status.Allowed { if len(review.Status.Reason) > 0 { return fmt.Errorf("image policy webhook backend denied one or more images: %s", review.Status.Reason) } return errors.New("one or more images rejected by webhook backend") } - return nil } diff --git a/plugin/pkg/admission/imagepolicy/admission_test.go b/plugin/pkg/admission/imagepolicy/admission_test.go index bf31cef8522..48a808390bf 100644 --- a/plugin/pkg/admission/imagepolicy/admission_test.go +++ b/plugin/pkg/admission/imagepolicy/admission_test.go @@ -192,66 +192,68 @@ current-context: default for _, tt := range tests { // Use a closure so defer statements trigger between loop iterations. - err := func() error { - tempfile, err := ioutil.TempFile("", "") - if err != nil { + t.Run(tt.msg, func(t *testing.T) { + err := func() error { + tempfile, err := ioutil.TempFile("", "") + if err != nil { + return err + } + p := tempfile.Name() + defer os.Remove(p) + + tmpl, err := template.New("test").Parse(tt.kubeConfigTmpl) + if err != nil { + return fmt.Errorf("failed to parse test template: %v", err) + } + if err := tmpl.Execute(tempfile, data); err != nil { + return fmt.Errorf("failed to execute test template: %v", err) + } + + tempconfigfile, err := ioutil.TempFile("", "") + if err != nil { + return err + } + pc := tempconfigfile.Name() + defer os.Remove(pc) + + configTmpl, err := template.New("testconfig").Parse(defaultConfigTmplJSON) + if err != nil { + return fmt.Errorf("failed to parse test template: %v", err) + } + dataConfig := struct { + KubeConfig string + AllowTTL int + DenyTTL int + RetryBackoff int + DefaultAllow bool + }{ + KubeConfig: p, + AllowTTL: 500, + DenyTTL: 500, + RetryBackoff: 500, + DefaultAllow: true, + } + if err := configTmpl.Execute(tempconfigfile, dataConfig); err != nil { + return fmt.Errorf("failed to execute test template: %v", err) + } + + // Create a new admission controller + configFile, err := os.Open(pc) + if err != nil { + return fmt.Errorf("failed to read test config: %v", err) + } + defer configFile.Close() + + _, err = NewImagePolicyWebhook(configFile) return err + }() + if err != nil && !tt.wantErr { + t.Errorf("failed to load plugin from config %q: %v", tt.msg, err) } - p := tempfile.Name() - defer os.Remove(p) - - tmpl, err := template.New("test").Parse(tt.kubeConfigTmpl) - if err != nil { - return fmt.Errorf("failed to parse test template: %v", err) + if err == nil && tt.wantErr { + t.Errorf("wanted an error when loading config, did not get one: %q", tt.msg) } - if err := tmpl.Execute(tempfile, data); err != nil { - return fmt.Errorf("failed to execute test template: %v", err) - } - - tempconfigfile, err := ioutil.TempFile("", "") - if err != nil { - return err - } - pc := tempconfigfile.Name() - defer os.Remove(pc) - - configTmpl, err := template.New("testconfig").Parse(defaultConfigTmplJSON) - if err != nil { - return fmt.Errorf("failed to parse test template: %v", err) - } - dataConfig := struct { - KubeConfig string - AllowTTL int - DenyTTL int - RetryBackoff int - DefaultAllow bool - }{ - KubeConfig: p, - AllowTTL: 500, - DenyTTL: 500, - RetryBackoff: 500, - DefaultAllow: true, - } - if err := configTmpl.Execute(tempconfigfile, dataConfig); err != nil { - return fmt.Errorf("failed to execute test template: %v", err) - } - - // Create a new admission controller - configFile, err := os.Open(pc) - if err != nil { - return fmt.Errorf("failed to read test config: %v", err) - } - defer configFile.Close() - - _, err = NewImagePolicyWebhook(configFile) - return err - }() - if err != nil && !tt.wantErr { - t.Errorf("failed to load plugin from config %q: %v", tt.msg, err) - } - if err == nil && tt.wantErr { - t.Errorf("wanted an error when loading config, did not get one: %q", tt.msg) - } + }) } } @@ -294,8 +296,9 @@ func NewTestServer(s Service, cert, key, caCert []byte) (*httptest.Server, error } s.Review(&review) type status struct { - Allowed bool `json:"allowed"` - Reason string `json:"reason"` + Allowed bool `json:"allowed"` + Reason string `json:"reason"` + AuditAnnotations map[string]string `json:"auditAnnotations"` } resp := struct { APIVersion string `json:"apiVersion"` @@ -304,7 +307,11 @@ func NewTestServer(s Service, cert, key, caCert []byte) (*httptest.Server, error }{ APIVersion: v1alpha1.SchemeGroupVersion.String(), Kind: "ImageReview", - Status: status{review.Status.Allowed, review.Status.Reason}, + Status: status{ + review.Status.Allowed, + review.Status.Reason, + review.Status.AuditAnnotations, + }, } w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(resp) @@ -318,8 +325,9 @@ func NewTestServer(s Service, cert, key, caCert []byte) (*httptest.Server, error // A service that can be set to allow all or deny all authorization requests. type mockService struct { - allow bool - statusCode int + allow bool + statusCode int + outAnnotations map[string]string } func (m *mockService) Review(r *v1alpha1.ImageReview) { @@ -339,6 +347,8 @@ func (m *mockService) Review(r *v1alpha1.ImageReview) { if !r.Status.Allowed { r.Status.Reason = "not allowed" } + + r.Status.AuditAnnotations = m.outAnnotations } func (m *mockService) Allow() { m.allow = true } func (m *mockService) Deny() { m.allow = false } @@ -455,7 +465,7 @@ func TestTLSConfig(t *testing.T) { } for _, tt := range tests { // Use a closure so defer statements trigger between loop iterations. - func() { + t.Run(tt.test, func(t *testing.T) { service := new(mockService) service.statusCode = 200 @@ -502,7 +512,7 @@ func TestTLSConfig(t *testing.T) { if err := wh.Validate(attr); err == nil { t.Errorf("%s: incorrectly admitted with DenyAll policy", tt.test) } - }() + }) } } @@ -730,7 +740,7 @@ func TestContainerCombinations(t *testing.T) { } for _, tt := range tests { // Use a closure so defer statements trigger between loop iterations. - func() { + t.Run(tt.test, func(t *testing.T) { service := new(mockService) service.statusCode = 200 @@ -769,27 +779,41 @@ func TestContainerCombinations(t *testing.T) { t.Errorf("%s: failed to admit: %v", tt.test, err) return } - }() + }) } } +// fakeAttributes decorate kadmission.Attributes. It's used to trace the added annotations. +type fakeAttributes struct { + admission.Attributes + annotations map[string]string +} + +func (f fakeAttributes) AddAnnotation(k, v string) error { + f.annotations[k] = v + return f.Attributes.AddAnnotation(k, v) +} + func TestDefaultAllow(t *testing.T) { tests := []struct { test string pod *api.Pod - wantAllowed, wantErr, defaultAllow bool + defaultAllow bool + wantAllowed, wantErr, wantFailOpen bool }{ { test: "DefaultAllow = true, backend unreachable, bad image", pod: goodPod("bad"), defaultAllow: true, wantAllowed: true, + wantFailOpen: true, }, { test: "DefaultAllow = true, backend unreachable, good image", pod: goodPod("good"), defaultAllow: true, wantAllowed: true, + wantFailOpen: true, }, { test: "DefaultAllow = false, backend unreachable, good image", @@ -797,6 +821,7 @@ func TestDefaultAllow(t *testing.T) { defaultAllow: false, wantAllowed: false, wantErr: true, + wantFailOpen: false, }, { test: "DefaultAllow = false, backend unreachable, bad image", @@ -804,11 +829,12 @@ func TestDefaultAllow(t *testing.T) { defaultAllow: false, wantAllowed: false, wantErr: true, + wantFailOpen: false, }, } for _, tt := range tests { // Use a closure so defer statements trigger between loop iterations. - func() { + t.Run(tt.test, func(t *testing.T) { service := new(mockService) service.statusCode = 500 @@ -826,6 +852,8 @@ func TestDefaultAllow(t *testing.T) { } attr := admission.NewAttributesRecord(tt.pod, nil, api.Kind("Pod").WithVersion("version"), "namespace", "", api.Resource("pods").WithVersion("version"), "", admission.Create, false, &user.DefaultInfo{}) + annotations := make(map[string]string) + attr = &fakeAttributes{attr, annotations} err = wh.Validate(attr) if tt.wantAllowed { @@ -847,7 +875,23 @@ func TestDefaultAllow(t *testing.T) { t.Errorf("%s: failed to admit: %v", tt.test, err) return } - }() + podAnnotations := tt.pod.GetAnnotations() + if tt.wantFailOpen { + if podAnnotations == nil || podAnnotations[api.ImagePolicyFailedOpenKey] != "true" { + t.Errorf("missing expected fail open pod annotation") + } + if annotations[AuditKeyPrefix+ImagePolicyFailedOpenKeySuffix] != "true" { + t.Errorf("missing expected fail open attributes annotation") + } + } else { + if podAnnotations != nil && podAnnotations[api.ImagePolicyFailedOpenKey] == "true" { + t.Errorf("found unexpected fail open pod annotation") + } + if annotations[AuditKeyPrefix+ImagePolicyFailedOpenKeySuffix] == "true" { + t.Errorf("found unexpected fail open attributes annotation") + } + } + }) } } @@ -898,7 +942,7 @@ func TestAnnotationFiltering(t *testing.T) { } for _, tt := range tests { // Use a closure so defer statements trigger between loop iterations. - func() { + t.Run(tt.test, func(t *testing.T) { service := new(annotationService) server, err := NewTestServer(service, serverCert, serverKey, caCert) @@ -928,7 +972,94 @@ func TestAnnotationFiltering(t *testing.T) { t.Errorf("expected annotations sent to webhook: %v to match expected: %v", service.Annotations(), tt.outAnnotations) } - }() + }) + } +} + +func TestReturnedAnnotationAdd(t *testing.T) { + tests := []struct { + test string + pod *api.Pod + verifierAnnotations map[string]string + expectedAnnotations map[string]string + }{ + { + test: "Add valid response annotations", + pod: goodPod("good"), + verifierAnnotations: map[string]string{ + "foo-test": "true", + "bar-test": "false", + }, + expectedAnnotations: map[string]string{ + "imagepolicywebhook.image-policy.k8s.io/foo-test": "true", + "imagepolicywebhook.image-policy.k8s.io/bar-test": "false", + }, + }, + { + test: "No returned annotations are ignored", + pod: goodPod("good"), + verifierAnnotations: map[string]string{}, + expectedAnnotations: map[string]string{}, + }, + { + test: "Handles nil annotations", + pod: goodPod("good"), + verifierAnnotations: nil, + expectedAnnotations: map[string]string{}, + }, + { + test: "Adds annotations for bad request", + pod: &api.Pod{ + Spec: api.PodSpec{ + ServiceAccountName: "default", + SecurityContext: &api.PodSecurityContext{}, + Containers: []api.Container{ + { + Image: "bad", + SecurityContext: &api.SecurityContext{}, + }, + }, + }, + }, + verifierAnnotations: map[string]string{ + "foo-test": "false", + }, + expectedAnnotations: map[string]string{ + "imagepolicywebhook.image-policy.k8s.io/foo-test": "false", + }, + }, + } + for _, tt := range tests { + // Use a closure so defer statements trigger between loop iterations. + t.Run(tt.test, func(t *testing.T) { + service := new(mockService) + service.statusCode = 200 + service.outAnnotations = tt.verifierAnnotations + + server, err := NewTestServer(service, serverCert, serverKey, caCert) + if err != nil { + t.Errorf("%s: failed to create server: %v", tt.test, err) + return + } + defer server.Close() + + wh, err := newImagePolicyWebhook(server.URL, clientCert, clientKey, caCert, 0, true) + if err != nil { + t.Errorf("%s: failed to create client: %v", tt.test, err) + return + } + + pod := tt.pod + + attr := admission.NewAttributesRecord(pod, nil, api.Kind("Pod").WithVersion("version"), "namespace", "", api.Resource("pods").WithVersion("version"), "", admission.Create, false, &user.DefaultInfo{}) + annotations := make(map[string]string) + attr = &fakeAttributes{attr, annotations} + + err = wh.Validate(attr) + if !reflect.DeepEqual(annotations, tt.expectedAnnotations) { + t.Errorf("got audit annotations: %v; want: %v", annotations, tt.expectedAnnotations) + } + }) } } diff --git a/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.pb.go b/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.pb.go index ef2275443a0..6e08dcca84b 100644 --- a/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.pb.go +++ b/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.pb.go @@ -225,6 +225,28 @@ func (m *ImageReviewStatus) MarshalTo(dAtA []byte) (int, error) { i++ i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason))) i += copy(dAtA[i:], m.Reason) + if len(m.AuditAnnotations) > 0 { + keysForAuditAnnotations := make([]string, 0, len(m.AuditAnnotations)) + for k := range m.AuditAnnotations { + keysForAuditAnnotations = append(keysForAuditAnnotations, string(k)) + } + github_com_gogo_protobuf_sortkeys.Strings(keysForAuditAnnotations) + for _, k := range keysForAuditAnnotations { + dAtA[i] = 0x1a + i++ + v := m.AuditAnnotations[string(k)] + mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v))) + i = encodeVarintGenerated(dAtA, i, uint64(mapSize)) + dAtA[i] = 0xa + i++ + i = encodeVarintGenerated(dAtA, i, uint64(len(k))) + i += copy(dAtA[i:], k) + dAtA[i] = 0x12 + i++ + i = encodeVarintGenerated(dAtA, i, uint64(len(v))) + i += copy(dAtA[i:], v) + } + } return i, nil } @@ -303,6 +325,14 @@ func (m *ImageReviewStatus) Size() (n int) { n += 2 l = len(m.Reason) n += 1 + l + sovGenerated(uint64(l)) + if len(m.AuditAnnotations) > 0 { + for k, v := range m.AuditAnnotations { + _ = k + _ = v + mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v))) + n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize)) + } + } return n } @@ -367,9 +397,20 @@ func (this *ImageReviewStatus) String() string { if this == nil { return "nil" } + keysForAuditAnnotations := make([]string, 0, len(this.AuditAnnotations)) + for k := range this.AuditAnnotations { + keysForAuditAnnotations = append(keysForAuditAnnotations, k) + } + github_com_gogo_protobuf_sortkeys.Strings(keysForAuditAnnotations) + mapStringForAuditAnnotations := "map[string]string{" + for _, k := range keysForAuditAnnotations { + mapStringForAuditAnnotations += fmt.Sprintf("%v: %v,", k, this.AuditAnnotations[k]) + } + mapStringForAuditAnnotations += "}" s := strings.Join([]string{`&ImageReviewStatus{`, `Allowed:` + fmt.Sprintf("%v", this.Allowed) + `,`, `Reason:` + fmt.Sprintf("%v", this.Reason) + `,`, + `AuditAnnotations:` + mapStringForAuditAnnotations + `,`, `}`, }, "") return s @@ -905,6 +946,122 @@ func (m *ImageReviewStatus) Unmarshal(dAtA []byte) error { } m.Reason = string(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AuditAnnotations", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + var keykey uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + keykey |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + var stringLenmapkey uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLenmapkey |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLenmapkey := int(stringLenmapkey) + if intStringLenmapkey < 0 { + return ErrInvalidLengthGenerated + } + postStringIndexmapkey := iNdEx + intStringLenmapkey + if postStringIndexmapkey > l { + return io.ErrUnexpectedEOF + } + mapkey := string(dAtA[iNdEx:postStringIndexmapkey]) + iNdEx = postStringIndexmapkey + if m.AuditAnnotations == nil { + m.AuditAnnotations = make(map[string]string) + } + if iNdEx < postIndex { + var valuekey uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + valuekey |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + var stringLenmapvalue uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLenmapvalue |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLenmapvalue := int(stringLenmapvalue) + if intStringLenmapvalue < 0 { + return ErrInvalidLengthGenerated + } + postStringIndexmapvalue := iNdEx + intStringLenmapvalue + if postStringIndexmapvalue > l { + return io.ErrUnexpectedEOF + } + mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue]) + iNdEx = postStringIndexmapvalue + m.AuditAnnotations[mapkey] = mapvalue + } else { + var mapvalue string + m.AuditAnnotations[mapkey] = mapvalue + } + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) @@ -1036,41 +1193,43 @@ func init() { } var fileDescriptorGenerated = []byte{ - // 562 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x92, 0x4f, 0x6f, 0xd3, 0x30, - 0x18, 0xc6, 0x9b, 0xee, 0x6f, 0x5d, 0x60, 0x9b, 0xe1, 0x10, 0xf5, 0x90, 0x4d, 0x45, 0x42, 0xe3, - 0x80, 0xcd, 0x26, 0x84, 0x06, 0x07, 0x50, 0x83, 0x90, 0xe0, 0x00, 0x48, 0xe6, 0xb6, 0x13, 0x6e, - 0xfa, 0x2e, 0x0d, 0x6d, 0xec, 0x28, 0x76, 0x32, 0x7a, 0xe3, 0x23, 0xf0, 0x0d, 0xf8, 0x3a, 0x3d, - 0xee, 0xb8, 0xd3, 0x44, 0xc3, 0x91, 0x2f, 0x81, 0xe2, 0xa4, 0x4d, 0x68, 0x41, 0xa8, 0xb7, 0xbc, - 0xef, 0xeb, 0xe7, 0xf7, 0x3e, 0x79, 0x6c, 0xf4, 0x66, 0x74, 0xa6, 0x48, 0x20, 0xe9, 0x28, 0xe9, - 0x43, 0x2c, 0x40, 0x83, 0xa2, 0x29, 0x88, 0x81, 0x8c, 0x69, 0x39, 0xe0, 0x51, 0x40, 0x83, 0x90, - 0xfb, 0x10, 0xc9, 0x71, 0xe0, 0x4d, 0x68, 0x7a, 0xc2, 0xc7, 0xd1, 0x90, 0x9f, 0x50, 0x1f, 0x04, - 0xc4, 0x5c, 0xc3, 0x80, 0x44, 0xb1, 0xd4, 0x12, 0x1f, 0x16, 0x02, 0xc2, 0xa3, 0x80, 0xd4, 0x04, - 0x64, 0x2e, 0xe8, 0x3c, 0xf2, 0x03, 0x3d, 0x4c, 0xfa, 0xc4, 0x93, 0x21, 0xf5, 0xa5, 0x2f, 0xa9, - 0xd1, 0xf5, 0x93, 0x0b, 0x53, 0x99, 0xc2, 0x7c, 0x15, 0xbc, 0xce, 0x93, 0xca, 0x40, 0xc8, 0xbd, - 0x61, 0x20, 0x20, 0x9e, 0xd0, 0x68, 0xe4, 0xe7, 0x0d, 0x45, 0x43, 0xd0, 0x9c, 0xa6, 0x2b, 0x2e, - 0x3a, 0xf4, 0x5f, 0xaa, 0x38, 0x11, 0x3a, 0x08, 0x61, 0x45, 0xf0, 0xf4, 0x7f, 0x02, 0xe5, 0x0d, - 0x21, 0xe4, 0xcb, 0xba, 0xee, 0xf7, 0x26, 0x6a, 0xbf, 0xcd, 0x7f, 0x93, 0x41, 0x1a, 0xc0, 0x25, - 0xfe, 0x84, 0x76, 0x73, 0x4f, 0x03, 0xae, 0xb9, 0x6d, 0x1d, 0x59, 0xc7, 0xed, 0xd3, 0xc7, 0xa4, - 0x4a, 0x64, 0x81, 0x26, 0xd1, 0xc8, 0xcf, 0x1b, 0x8a, 0xe4, 0xa7, 0x49, 0x7a, 0x42, 0x3e, 0xf4, - 0x3f, 0x83, 0xa7, 0xdf, 0x81, 0xe6, 0x2e, 0x9e, 0xde, 0x1c, 0x36, 0xb2, 0x9b, 0x43, 0x54, 0xf5, - 0xd8, 0x82, 0x8a, 0x19, 0xda, 0x54, 0x11, 0x78, 0x76, 0x73, 0x85, 0xfe, 0xd7, 0xbc, 0x49, 0xcd, - 0xdd, 0xc7, 0x08, 0x3c, 0xf7, 0x56, 0x49, 0xdf, 0xcc, 0x2b, 0x66, 0x58, 0xf8, 0x1c, 0x6d, 0x2b, - 0xcd, 0x75, 0xa2, 0xec, 0x0d, 0x43, 0x3d, 0x5d, 0x8b, 0x6a, 0x94, 0xee, 0x9d, 0x92, 0xbb, 0x5d, - 0xd4, 0xac, 0x24, 0x76, 0x5f, 0x22, 0xbb, 0x76, 0xf8, 0x95, 0x14, 0x9a, 0xe7, 0x11, 0xe4, 0xdb, - 0xf1, 0x7d, 0xb4, 0x65, 0xe8, 0x26, 0xaa, 0x96, 0x7b, 0xbb, 0x44, 0x6c, 0x15, 0x82, 0x62, 0xd6, - 0xfd, 0xd5, 0x44, 0x7b, 0x4b, 0x3f, 0x81, 0x43, 0x84, 0xbc, 0x39, 0x49, 0xd9, 0xd6, 0xd1, 0xc6, - 0x71, 0xfb, 0xf4, 0xd9, 0x3a, 0xa6, 0xff, 0xf0, 0x51, 0x25, 0xbe, 0x68, 0x2b, 0x56, 0x5b, 0x80, - 0xbf, 0xa0, 0x36, 0x17, 0x42, 0x6a, 0xae, 0x03, 0x29, 0x94, 0xdd, 0x34, 0xfb, 0x7a, 0xeb, 0x46, - 0x4f, 0x7a, 0x15, 0xe3, 0xb5, 0xd0, 0xf1, 0xc4, 0xbd, 0x5b, 0xee, 0x6d, 0xd7, 0x26, 0xac, 0xbe, - 0x0a, 0x53, 0xd4, 0x12, 0x3c, 0x04, 0x15, 0x71, 0x0f, 0xcc, 0xe5, 0xb4, 0xdc, 0x83, 0x52, 0xd4, - 0x7a, 0x3f, 0x1f, 0xb0, 0xea, 0x4c, 0xe7, 0x05, 0xda, 0x5f, 0x5e, 0x83, 0xf7, 0xd1, 0xc6, 0x08, - 0x26, 0x45, 0xc8, 0x2c, 0xff, 0xc4, 0xf7, 0xd0, 0x56, 0xca, 0xc7, 0x09, 0x98, 0x57, 0xd4, 0x62, - 0x45, 0xf1, 0xbc, 0x79, 0x66, 0x75, 0x2f, 0xd0, 0xc1, 0xca, 0xdd, 0xe2, 0x87, 0x68, 0x87, 0x8f, - 0xc7, 0xf2, 0x12, 0x06, 0x06, 0xb2, 0xeb, 0xee, 0x95, 0x1e, 0x76, 0x7a, 0x45, 0x9b, 0xcd, 0xe7, - 0xf8, 0x01, 0xda, 0x8e, 0x81, 0x2b, 0x29, 0x0a, 0x74, 0xf5, 0x2c, 0x98, 0xe9, 0xb2, 0x72, 0xea, - 0x92, 0xe9, 0xcc, 0x69, 0x5c, 0xcd, 0x9c, 0xc6, 0xf5, 0xcc, 0x69, 0x7c, 0xcd, 0x1c, 0x6b, 0x9a, - 0x39, 0xd6, 0x55, 0xe6, 0x58, 0xd7, 0x99, 0x63, 0xfd, 0xc8, 0x1c, 0xeb, 0xdb, 0x4f, 0xa7, 0x71, - 0xbe, 0x3b, 0xcf, 0xf2, 0x77, 0x00, 0x00, 0x00, 0xff, 0xff, 0xdb, 0xb6, 0xff, 0xb4, 0xa2, 0x04, - 0x00, 0x00, + // 607 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x92, 0xcf, 0x6e, 0xd3, 0x4c, + 0x14, 0xc5, 0xe3, 0xa4, 0xff, 0x32, 0xf9, 0x3e, 0x9a, 0x0e, 0x20, 0x59, 0x59, 0xb8, 0x55, 0x90, + 0x50, 0x59, 0x30, 0x43, 0x2b, 0x84, 0x0a, 0x0b, 0x50, 0x5c, 0x21, 0x95, 0x05, 0x20, 0x0d, 0xbb, + 0xae, 0x98, 0x38, 0x17, 0xc7, 0x24, 0x9e, 0xb1, 0x3c, 0xe3, 0x94, 0xec, 0x78, 0x02, 0xc4, 0x1b, + 0xf0, 0x22, 0x3c, 0x40, 0x97, 0x5d, 0x76, 0x55, 0x51, 0xb3, 0xe4, 0x25, 0x90, 0xc7, 0x4e, 0x6c, + 0x92, 0x22, 0x94, 0x9d, 0xef, 0xbd, 0x73, 0x7e, 0xf7, 0xcc, 0xf1, 0xa0, 0x93, 0xd1, 0x91, 0x22, + 0x81, 0xa4, 0xa3, 0xa4, 0x0f, 0xb1, 0x00, 0x0d, 0x8a, 0x4e, 0x40, 0x0c, 0x64, 0x4c, 0x8b, 0x01, + 0x8f, 0x02, 0x1a, 0x84, 0xdc, 0x87, 0x48, 0x8e, 0x03, 0x6f, 0x4a, 0x27, 0x07, 0x7c, 0x1c, 0x0d, + 0xf9, 0x01, 0xf5, 0x41, 0x40, 0xcc, 0x35, 0x0c, 0x48, 0x14, 0x4b, 0x2d, 0xf1, 0x6e, 0x2e, 0x20, + 0x3c, 0x0a, 0x48, 0x45, 0x40, 0x66, 0x82, 0xce, 0x43, 0x3f, 0xd0, 0xc3, 0xa4, 0x4f, 0x3c, 0x19, + 0x52, 0x5f, 0xfa, 0x92, 0x1a, 0x5d, 0x3f, 0xf9, 0x60, 0x2a, 0x53, 0x98, 0xaf, 0x9c, 0xd7, 0x79, + 0x5c, 0x1a, 0x08, 0xb9, 0x37, 0x0c, 0x04, 0xc4, 0x53, 0x1a, 0x8d, 0xfc, 0xac, 0xa1, 0x68, 0x08, + 0x9a, 0xd3, 0xc9, 0x92, 0x8b, 0x0e, 0xfd, 0x9b, 0x2a, 0x4e, 0x84, 0x0e, 0x42, 0x58, 0x12, 0x3c, + 0xf9, 0x97, 0x40, 0x79, 0x43, 0x08, 0xf9, 0xa2, 0xae, 0xfb, 0xad, 0x8e, 0x5a, 0xaf, 0xb2, 0x6b, + 0x32, 0x98, 0x04, 0x70, 0x86, 0xdf, 0xa3, 0xad, 0xcc, 0xd3, 0x80, 0x6b, 0x6e, 0x5b, 0x7b, 0xd6, + 0x7e, 0xeb, 0xf0, 0x11, 0x29, 0x13, 0x99, 0xa3, 0x49, 0x34, 0xf2, 0xb3, 0x86, 0x22, 0xd9, 0x69, + 0x32, 0x39, 0x20, 0x6f, 0xfb, 0x1f, 0xc1, 0xd3, 0xaf, 0x41, 0x73, 0x17, 0x9f, 0x5f, 0xed, 0xd6, + 0xd2, 0xab, 0x5d, 0x54, 0xf6, 0xd8, 0x9c, 0x8a, 0x19, 0x5a, 0x53, 0x11, 0x78, 0x76, 0x7d, 0x89, + 0x7e, 0x63, 0xde, 0xa4, 0xe2, 0xee, 0x5d, 0x04, 0x9e, 0xfb, 0x5f, 0x41, 0x5f, 0xcb, 0x2a, 0x66, + 0x58, 0xf8, 0x14, 0x6d, 0x28, 0xcd, 0x75, 0xa2, 0xec, 0x86, 0xa1, 0x1e, 0xae, 0x44, 0x35, 0x4a, + 0xf7, 0x56, 0xc1, 0xdd, 0xc8, 0x6b, 0x56, 0x10, 0xbb, 0x2f, 0x90, 0x5d, 0x39, 0x7c, 0x2c, 0x85, + 0xe6, 0x59, 0x04, 0xd9, 0x76, 0x7c, 0x0f, 0xad, 0x1b, 0xba, 0x89, 0xaa, 0xe9, 0xfe, 0x5f, 0x20, + 0xd6, 0x73, 0x41, 0x3e, 0xeb, 0xfe, 0xaa, 0xa3, 0xed, 0x85, 0x4b, 0xe0, 0x10, 0x21, 0x6f, 0x46, + 0x52, 0xb6, 0xb5, 0xd7, 0xd8, 0x6f, 0x1d, 0x3e, 0x5d, 0xc5, 0xf4, 0x1f, 0x3e, 0xca, 0xc4, 0xe7, + 0x6d, 0xc5, 0x2a, 0x0b, 0xf0, 0x27, 0xd4, 0xe2, 0x42, 0x48, 0xcd, 0x75, 0x20, 0x85, 0xb2, 0xeb, + 0x66, 0x5f, 0x6f, 0xd5, 0xe8, 0x49, 0xaf, 0x64, 0xbc, 0x14, 0x3a, 0x9e, 0xba, 0xb7, 0x8b, 0xbd, + 0xad, 0xca, 0x84, 0x55, 0x57, 0x61, 0x8a, 0x9a, 0x82, 0x87, 0xa0, 0x22, 0xee, 0x81, 0xf9, 0x39, + 0x4d, 0x77, 0xa7, 0x10, 0x35, 0xdf, 0xcc, 0x06, 0xac, 0x3c, 0xd3, 0x79, 0x8e, 0xda, 0x8b, 0x6b, + 0x70, 0x1b, 0x35, 0x46, 0x30, 0xcd, 0x43, 0x66, 0xd9, 0x27, 0xbe, 0x83, 0xd6, 0x27, 0x7c, 0x9c, + 0x80, 0x79, 0x45, 0x4d, 0x96, 0x17, 0xcf, 0xea, 0x47, 0x56, 0xf7, 0x7b, 0x1d, 0xed, 0x2c, 0xfd, + 0x5c, 0xfc, 0x00, 0x6d, 0xf2, 0xf1, 0x58, 0x9e, 0xc1, 0xc0, 0x50, 0xb6, 0xdc, 0xed, 0xc2, 0xc4, + 0x66, 0x2f, 0x6f, 0xb3, 0xd9, 0x1c, 0xdf, 0x47, 0x1b, 0x31, 0x70, 0x25, 0x45, 0xce, 0x2e, 0xdf, + 0x05, 0x33, 0x5d, 0x56, 0x4c, 0xf1, 0x17, 0x0b, 0xb5, 0x79, 0x32, 0x08, 0x74, 0xc5, 0xae, 0xdd, + 0x30, 0xc9, 0x9e, 0xac, 0xfe, 0xfc, 0x48, 0x6f, 0x01, 0x95, 0x07, 0x6c, 0x17, 0xcb, 0xdb, 0x8b, + 0x63, 0xb6, 0xb4, 0xbb, 0x73, 0x8c, 0xee, 0xde, 0x08, 0x59, 0x25, 0x3e, 0x97, 0x9c, 0x5f, 0x3b, + 0xb5, 0x8b, 0x6b, 0xa7, 0x76, 0x79, 0xed, 0xd4, 0x3e, 0xa7, 0x8e, 0x75, 0x9e, 0x3a, 0xd6, 0x45, + 0xea, 0x58, 0x97, 0xa9, 0x63, 0xfd, 0x48, 0x1d, 0xeb, 0xeb, 0x4f, 0xa7, 0x76, 0xba, 0x35, 0xbb, + 0xc8, 0xef, 0x00, 0x00, 0x00, 0xff, 0xff, 0x44, 0x16, 0x48, 0xa2, 0x79, 0x05, 0x00, 0x00, } diff --git a/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.proto b/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.proto index ffd9512a9e6..381d0091bdc 100644 --- a/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.proto +++ b/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.proto @@ -65,7 +65,7 @@ message ImageReviewSpec { optional string namespace = 3; } -// ImageReviewStatus is the result of the token authentication request. +// ImageReviewStatus is the result of the review for the pod creation request. message ImageReviewStatus { // Allowed indicates that all images were allowed to be run. optional bool allowed = 1; @@ -75,5 +75,12 @@ message ImageReviewStatus { // may truncate excessively long errors when displaying to the user. // +optional optional string reason = 2; + + // AuditAnnotations will be added to the attributes object of the + // admission controller request using 'AddAnnotation'. The keys should + // be prefix-less (i.e., the admission controller will add an + // appropriate prefix). + // +optional + map auditAnnotations = 3; } diff --git a/staging/src/k8s.io/api/imagepolicy/v1alpha1/types.go b/staging/src/k8s.io/api/imagepolicy/v1alpha1/types.go index 258b5cd75bd..fd689e638d9 100644 --- a/staging/src/k8s.io/api/imagepolicy/v1alpha1/types.go +++ b/staging/src/k8s.io/api/imagepolicy/v1alpha1/types.go @@ -62,7 +62,7 @@ type ImageReviewContainerSpec struct { // In future, we may add command line overrides, exec health check command lines, and so on. } -// ImageReviewStatus is the result of the token authentication request. +// ImageReviewStatus is the result of the review for the pod creation request. type ImageReviewStatus struct { // Allowed indicates that all images were allowed to be run. Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"` @@ -71,4 +71,10 @@ type ImageReviewStatus struct { // may truncate excessively long errors when displaying to the user. // +optional Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"` + // AuditAnnotations will be added to the attributes object of the + // admission controller request using 'AddAnnotation'. The keys should + // be prefix-less (i.e., the admission controller will add an + // appropriate prefix). + // +optional + AuditAnnotations map[string]string `json:"auditAnnotations,omitempty" protobuf:"bytes,3,rep,name=auditAnnotations"` } diff --git a/staging/src/k8s.io/api/imagepolicy/v1alpha1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/imagepolicy/v1alpha1/types_swagger_doc_generated.go index 129d63d08a8..0211d94af01 100644 --- a/staging/src/k8s.io/api/imagepolicy/v1alpha1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/imagepolicy/v1alpha1/types_swagger_doc_generated.go @@ -58,9 +58,10 @@ func (ImageReviewSpec) SwaggerDoc() map[string]string { } var map_ImageReviewStatus = map[string]string{ - "": "ImageReviewStatus is the result of the token authentication request.", - "allowed": "Allowed indicates that all images were allowed to be run.", - "reason": "Reason should be empty unless Allowed is false in which case it may contain a short description of what is wrong. Kubernetes may truncate excessively long errors when displaying to the user.", + "": "ImageReviewStatus is the result of the review for the pod creation request.", + "allowed": "Allowed indicates that all images were allowed to be run.", + "reason": "Reason should be empty unless Allowed is false in which case it may contain a short description of what is wrong. Kubernetes may truncate excessively long errors when displaying to the user.", + "auditAnnotations": "AuditAnnotations will be added to the attributes object of the admission controller request using 'AddAnnotation'. The keys should be prefix-less (i.e., the admission controller will add an appropriate prefix).", } func (ImageReviewStatus) SwaggerDoc() map[string]string { diff --git a/staging/src/k8s.io/api/imagepolicy/v1alpha1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/imagepolicy/v1alpha1/zz_generated.deepcopy.go index a41d8970045..83d47b7919d 100644 --- a/staging/src/k8s.io/api/imagepolicy/v1alpha1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/api/imagepolicy/v1alpha1/zz_generated.deepcopy.go @@ -30,7 +30,7 @@ func (in *ImageReview) DeepCopyInto(out *ImageReview) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) return } @@ -99,6 +99,13 @@ func (in *ImageReviewSpec) DeepCopy() *ImageReviewSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageReviewStatus) DeepCopyInto(out *ImageReviewStatus) { *out = *in + if in.AuditAnnotations != nil { + in, out := &in.AuditAnnotations, &out.AuditAnnotations + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } return }