github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-18 16:21:13 +00:00
Code Issues Projects Releases Wiki Activity

add Annotations to audit event

Browse Source
This commit is contained in:
Cao Shufeng 2018-01-08 12:00:33 +08:00
parent 2cc0ecdf0f
commit 97b0d99a33
5 changed files with 87 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
staging/src/k8s.io/apiserver/pkg/apis/audit/types.go
View File

@ -125,6 +125,14 @@ type Event struct {
RequestReceivedTimestamp metav1.MicroTime RequestReceivedTimestamp metav1.MicroTime
// Time the request reached current audit stage. // Time the request reached current audit stage.
StageTimestamp metav1.MicroTime StageTimestamp metav1.MicroTime
// Annotations is an unstructured key value map stored with an audit event that may be set by
// plugins invoked in the request serving chain, including authentication, authorization and
// admission plugins. Keys should uniquely identify the informing component to avoid name
// collisions (e.g. podsecuritypolicy.admission.k8s.io/policy). Values should be short. Annotations
// are included in the Metadata level.
// +optional
Annotations map[string]string
} }
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

8
staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go
View File

@ -132,6 +132,14 @@ type Event struct {
// Time the request reached current audit stage. // Time the request reached current audit stage.
// +optional // +optional
StageTimestamp metav1.MicroTime `json:"stageTimestamp" protobuf:"bytes,16,opt,name=stageTimestamp"` StageTimestamp metav1.MicroTime `json:"stageTimestamp" protobuf:"bytes,16,opt,name=stageTimestamp"`
// Annotations is an unstructured key value map stored with an audit event that may be set by
// plugins invoked in the request serving chain, including authentication, authorization and
// admission plugins. Keys should uniquely identify the informing component to avoid name
// collisions (e.g. podsecuritypolicy.admission.k8s.io/policy). Values should be short. Annotations
// are included in the Metadata level.
// +optional
Annotations map[string]string `json:"annotations,omitempty" protobuf:"bytes,17,rep,name=annotations"`
} }
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

8
staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go
View File

@ -128,6 +128,14 @@ type Event struct {
// Time the request reached current audit stage. // Time the request reached current audit stage.
// +optional // +optional
StageTimestamp metav1.MicroTime `json:"stageTimestamp" protobuf:"bytes,16,opt,name=stageTimestamp"` StageTimestamp metav1.MicroTime `json:"stageTimestamp" protobuf:"bytes,16,opt,name=stageTimestamp"`
// Annotations is an unstructured key value map stored with an audit event that may be set by
// plugins invoked in the request serving chain, including authentication, authorization and
// admission plugins. Keys should uniquely identify the informing component to avoid name
// collisions (e.g. podsecuritypolicy.admission.k8s.io/policy). Values should be short. Annotations
// are included in the Metadata level.
// +optional
Annotations map[string]string `json:"annotations,omitempty" protobuf:"bytes,17,rep,name=annotations"`
} }
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

25
staging/src/k8s.io/apiserver/pkg/audit/request.go
View File

@ -204,3 +204,28 @@ func encodeObject(obj runtime.Object, gv schema.GroupVersion, serializer runtime
} }
return nil, fmt.Errorf("no json encoder found") return nil, fmt.Errorf("no json encoder found")
} }
// LogAnnotation fills in the Annotations according to the key value pair.
func LogAnnotation(ae *auditinternal.Event, key, value string) {
if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) {
return
}
if ae.Annotations == nil {
ae.Annotations = make(map[string]string)
}
if v, ok := ae.Annotations[key]; ok && v != value {
glog.Warningf("Failed to set annotations[%q] to %q for audit:%q, it has already been set to %q", key, value, ae.AuditID, ae.Annotations[key])
return
}
ae.Annotations[key] = value
}
// LogAnnotations fills in the Annotations according to the annotations map.
func LogAnnotations(ae *auditinternal.Event, annotations map[string]string) {
if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) {
return
}
for key, value := range annotations {
LogAnnotation(ae, key, value)
}
}

38
staging/src/k8s.io/apiserver/pkg/audit/request_test.go Normal file
View File

@ -0,0 +1,38 @@
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package audit
import (
"testing"
"github.com/stretchr/testify/assert"
auditinternal "k8s.io/apiserver/pkg/apis/audit"
)
func TestLogAnnotation(t *testing.T) {
ev := &auditinternal.Event{
Level: auditinternal.LevelMetadata,
AuditID: "fake id",
}
LogAnnotation(ev, "foo", "bar")
LogAnnotation(ev, "foo", "baz")
assert.Equal(t, "bar", ev.Annotations["foo"], "audit annotation should not be overwritten.")
LogAnnotation(ev, "qux", "")
LogAnnotation(ev, "qux", "baz")
assert.Equal(t, "", ev.Annotations["qux"], "audit annotation should not be overwritten.")
}