audit support wildcard matching subresources

staging/src/k8s.io/apiserver/pkg/apis/audit/types.go

@@ -226,10 +226,19 @@ type GroupResources struct {
 	// The empty string represents the core API group.
 	// +optional
 	Group string
-	// Resources is a list of resources within the API group. Subresources are
+	// Resources is a list of resources this rule applies to.
-	// matched using a "/" to indicate the subresource. For example, "pods/log"
+	//
-	// would match request to the log subresource of pods. The top level resource
+	// For example:
-	// does not match subresources, "pods" doesn't match "pods/log".
+	// 'pods' matches pods.
+	// 'pods/log' matches the log subresource of pods.
+	// '*' matches all resources and their subresources.
+	// 'pods/*' matches all subresources of pods.
+	// '*/scale' matches all scale subresources.
+	//
+	// If wildcard is present, the validation rule will ensure resources do not
+	// overlap with each other.
+	//
+	// An empty list implies all resources and subresources in this API groups apply.
 	// +optional
 	Resources []string
 	// ResourceNames is a list of resource instance names that the policy matches.

staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go

@@ -233,10 +233,19 @@ type GroupResources struct {
 	// The empty string represents the core API group.
 	// +optional
 	Group string `json:"group,omitempty" protobuf:"bytes,1,opt,name=group"`
-	// Resources is a list of resources within the API group. Subresources are
+	// Resources is a list of resources this rule applies to.
-	// matched using a "/" to indicate the subresource. For example, "pods/logs"
+	//
-	// would match request to the logs subresource of pods. The top level resource
+	// For example:
-	// does not match subresources, "pods" doesn't match "pods/logs".
+	// 'pods' matches pods.
+	// 'pods/log' matches the log subresource of pods.
+	// '*' matches all resources and their subresources.
+	// 'pods/*' matches all subresources of pods.
+	// '*/scale' matches all scale subresources.
+	//
+	// If wildcard is present, the validation rule will ensure resources do not
+	// overlap with each other.
+	//
+	// An empty list implies all resources and subresources in this API groups apply.
 	// +optional
 	Resources []string `json:"resources,omitempty" protobuf:"bytes,2,rep,name=resources"`
 	// ResourceNames is a list of resource instance names that the policy matches.

staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go

@@ -229,10 +229,19 @@ type GroupResources struct {
 	// The empty string represents the core API group.
 	// +optional
 	Group string `json:"group,omitempty" protobuf:"bytes,1,opt,name=group"`
-	// Resources is a list of resources within the API group. Subresources are
+	// Resources is a list of resources this rule applies to.
-	// matched using a "/" to indicate the subresource. For example, "pods/log"
+	//
-	// would match request to the log subresource of pods. The top level resource
+	// For example:
-	// does not match subresources, "pods" doesn't match "pods/log".
+	// 'pods' matches pods.
+	// 'pods/log' matches the log subresource of pods.
+	// '*' matches all resources and their subresources.
+	// 'pods/*' matches all subresources of pods.
+	// '*/scale' matches all scale subresources.
+	//
+	// If wildcard is present, the validation rule will ensure resources do not
+	// overlap with each other.
+	//
+	// An empty list implies all resources and subresources in this API groups apply.
 	// +optional
 	Resources []string `json:"resources,omitempty" protobuf:"bytes,2,rep,name=resources"`
 	// ResourceNames is a list of resource instance names that the policy matches.

staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go

@@ -160,11 +160,11 @@ func ruleMatchesResource(r *audit.PolicyRule, attrs authorizer.Attributes) bool
 
 	apiGroup := attrs.GetAPIGroup()
 	resource := attrs.GetResource()
+	subresource := attrs.GetSubresource()
+	combinedResource := resource
 	// If subresource, the resource in the policy must match "(resource)/(subresource)"
-	//
+	if subresource != "" {
-	// TODO: consider adding options like "pods/*" to match all subresources.
+		combinedResource = resource + "/" + subresource
-	if sr := attrs.GetSubresource(); sr != "" {
-		resource = resource + "/" + sr
 	}
 
 	name := attrs.GetName()
@@ -175,8 +175,17 @@ func ruleMatchesResource(r *audit.PolicyRule, attrs authorizer.Attributes) bool
 				return true
 			}
 			for _, res := range gr.Resources {
-				if res == resource {
 				if len(gr.ResourceNames) == 0 || hasString(gr.ResourceNames, name) {
+					// match "*"
+					if res == combinedResource || res == "*" {
+						return true
+					}
+					// match "*/subresource"
+					if len(subresource) > 0 && strings.HasPrefix(res, "*/") && subresource == strings.TrimLeft(res, "*/") {
+						return true
+					}
+					// match "resource/*"
+					if strings.HasSuffix(res, "/*") && resource == strings.TrimRight(res, "/*") {
 						return true
 					}
 				}