github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 05:57:25 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #49280 from CaoShuFeng/RequestReceived

Browse Source 
Automatic merge from submit-queue

Provide a way to omit Event stages in audit policy

This provide a way to omit some stages for each audit policy rule.
    
For example:

    ```
      apiVersion: audit.k8s.io/v1beta1
      kind: Policy
      - level: Metadata
        resources:
           - group: "rbac.authorization.k8s.io"
             resources: ["roles"]
        omitStages:
          - "RequestReceived"
    ```
    
RequestReceived stage will not be emitted to audit backends with previous config.


**Release note**:

```
None
```
#
This commit is contained in:
Kubernetes Submit Queue 2017-09-04 05:07:10 -07:00 committed by GitHub
commit 9d29ce1356
21 changed files with 552 additions and 232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
staging/src/k8s.io/apiserver/pkg/apis/audit/types.go
View File

@ -207,6 +207,10 @@ type PolicyRule struct {
// "/healthz*" - Log all health checks
// +optional
NonResourceURLs []string
// OmitStages specify events generated in which stages will not be emitted to backend.
// An empty list means no restrictions will apply.
OmitStages []Stage
}
// GroupResources represents resource kinds in an API group.

194
staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go
View File

@ -543,6 +543,21 @@ func (m *PolicyRule) MarshalTo(dAtA []byte) (int, error) {
i += copy(dAtA[i:], s)
}
}
if len(m.OmitStages) > 0 {
for _, s := range m.OmitStages {
dAtA[i] = 0x42
i++
l = len(s)
for l >= 1<<7 {
dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
l >>= 7
i++
}
dAtA[i] = uint8(l)
i++
i += copy(dAtA[i:], s)
}
}
return i, nil
}
@ -744,6 +759,12 @@ func (m *PolicyRule) Size() (n int) {
n += 1 + l + sovGenerated(uint64(l))
}
}
if len(m.OmitStages) > 0 {
for _, s := range m.OmitStages {
l = len(s)
n += 1 + l + sovGenerated(uint64(l))
}
}
return n
}
@ -856,6 +877,7 @@ func (this *PolicyRule) String() string {
`Resources:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Resources), "GroupResources", "GroupResources", 1), `&`, ``, 1) + `,`,
`Namespaces:` + fmt.Sprintf("%v", this.Namespaces) + `,`,
`NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`,
`OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`,
`}`,
}, "")
return s
@ -2304,6 +2326,35 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error {
}
m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex]))
iNdEx = postIndex
case 8:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field OmitStages", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
stringLen |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex]))
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
@ -2435,75 +2486,76 @@ func init() {
}
var fileDescriptorGenerated = []byte{
// 1107 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0xcf, 0x6f, 0xe3, 0x44,
0x14, 0xae, 0x37, 0x4d, 0x1b, 0x4f, 0xb7, 0x3f, 0x76, 0x16, 0x81, 0xd5, 0x43, 0x52, 0x82, 0x84,
0x22, 0x28, 0x76, 0x5b, 0x0a, 0x2c, 0x07, 0x0e, 0x8d, 0x16, 0x41, 0xa4, 0x52, 0xca, 0xb4, 0x59,
0x89, 0x1f, 0x07, 0x9c, 0xe4, 0x35, 0x31, 0x4d, 0x6c, 0x33, 0x33, 0x0e, 0xea, 0x8d, 0x03, 0xe2,
0xcc, 0x9d, 0x3f, 0x06, 0x21, 0x81, 0xd4, 0xe3, 0x1e, 0xf7, 0x14, 0xd1, 0xf0, 0x5f, 0xf4, 0x84,
0x66, 0x3c, 0xe3, 0xb1, 0xd3, 0x8d, 0x48, 0x2f, 0x7b, 0xf3, 0xbc, 0xf7, 0x7d, 0xdf, 0xbc, 0xf7,
0xfc, 0xde, 0xb3, 0xd1, 0x57, 0x97, 0x4f, 0x98, 0x1b, 0x44, 0xde, 0x65, 0xd2, 0x01, 0x1a, 0x02,
0x07, 0xe6, 0x8d, 0x21, 0xec, 0x45, 0xd4, 0x53, 0x0e, 0x3f, 0x0e, 0x18, 0xd0, 0x31, 0x50, 0x2f,
0xbe, 0xec, 0xcb, 0x93, 0xe7, 0x27, 0xbd, 0x80, 0x7b, 0xe3, 0x7d, 0x7f, 0x18, 0x0f, 0xfc, 0x7d,
0xaf, 0x0f, 0x21, 0x50, 0x9f, 0x43, 0xcf, 0x8d, 0x69, 0xc4, 0x23, 0xdc, 0x48, 0x99, 0x6e, 0xc6,
0x74, 0xe3, 0xcb, 0xbe, 0x3c, 0xb9, 0x92, 0xe9, 0x6a, 0xe6, 0xf6, 0x7b, 0xfd, 0x80, 0x0f, 0x92,
0x8e, 0xdb, 0x8d, 0x46, 0x5e, 0x3f, 0xea, 0x47, 0x9e, 0x14, 0xe8, 0x24, 0x17, 0xf2, 0x24, 0x0f,
0xf2, 0x29, 0x15, 0xde, 0xde, 0x35, 0x21, 0x79, 0x7e, 0xc2, 0x07, 0x10, 0xf2, 0xa0, 0xeb, 0xf3,
0x20, 0x0a, 0xbd, 0xf1, 0x9d, 0x30, 0xb6, 0x0f, 0x0d, 0x7a, 0xe4, 0x77, 0x07, 0x41, 0x08, 0xf4,
0xca, 0xe4, 0x30, 0x02, 0xee, 0xbf, 0x8c, 0xe5, 0xcd, 0x63, 0xd1, 0x24, 0xe4, 0xc1, 0x08, 0xee,
0x10, 0x3e, 0xfc, 0x3f, 0x02, 0xeb, 0x0e, 0x60, 0xe4, 0xdf, 0xe1, 0xbd, 0x3f, 0x8f, 0x97, 0xf0,
0x60, 0xe8, 0x05, 0x21, 0x67, 0x9c, 0xce, 0x92, 0xea, 0x7f, 0x55, 0x50, 0xf9, 0xd3, 0x31, 0x84,
0x1c, 0x7f, 0x8f, 0x2a, 0x22, 0x85, 0x9e, 0xcf, 0x7d, 0xc7, 0xda, 0xb1, 0x1a, 0x6b, 0x07, 0x7b,
0xae, 0xa9, 0x7b, 0xa6, 0x68, 0x4a, 0x2f, 0xd0, 0xee, 0x78, 0xdf, 0xfd, 0xb2, 0xf3, 0x03, 0x74,
0xf9, 0x17, 0xc0, 0xfd, 0x26, 0xbe, 0x9e, 0xd4, 0x96, 0xa6, 0x93, 0x1a, 0x32, 0x36, 0x92, 0xa9,
0xe2, 0x5d, 0x54, 0x1e, 0xc2, 0x18, 0x86, 0xce, 0x83, 0x1d, 0xab, 0x61, 0x37, 0x5f, 0x57, 0xe0,
0xf2, 0xb1, 0x30, 0xde, 0xea, 0x07, 0x92, 0x82, 0xf0, 0xb7, 0xc8, 0x16, 0xd9, 0x32, 0xee, 0x8f,
0x62, 0xa7, 0x24, 0x03, 0x7a, 0x67, 0xb1, 0x80, 0xce, 0x83, 0x11, 0x34, 0x1f, 0x29, 0x75, 0xfb,
0x5c, 0x8b, 0x10, 0xa3, 0x87, 0x4f, 0xd0, 0xaa, 0xec, 0x9c, 0xd6, 0x53, 0x67, 0x59, 0x06, 0x73,
0xa8, 0xe0, 0xab, 0x47, 0xa9, 0xf9, 0x76, 0x52, 0x7b, 0x73, 0x5e, 0x3d, 0xf9, 0x55, 0x0c, 0xcc,
0x6d, 0xb7, 0x9e, 0x12, 0x2d, 0x22, 0x52, 0x63, 0xdc, 0xef, 0x83, 0x53, 0x2e, 0xa6, 0x76, 0x26,
0x8c, 0xb7, 0xfa, 0x81, 0xa4, 0x20, 0x7c, 0x80, 0x10, 0x85, 0x1f, 0x13, 0x60, 0xbc, 0x4d, 0x5a,
0xce, 0x8a, 0xa4, 0x64, 0xa5, 0x23, 0x99, 0x87, 0xe4, 0x50, 0x78, 0x07, 0x2d, 0x8f, 0x81, 0x76,
0x9c, 0x55, 0x89, 0x7e, 0xa8, 0xd0, 0xcb, 0xcf, 0x80, 0x76, 0x88, 0xf4, 0xe0, 0xcf, 0xd1, 0x72,
0xc2, 0x80, 0x3a, 0x15, 0x59, 0xab, 0xb7, 0x73, 0xb5, 0x72, 0x8b, 0xbd, 0x2d, 0x6a, 0xd4, 0x66,
0x40, 0x5b, 0xe1, 0x45, 0x64, 0x94, 0x84, 0x85, 0x48, 0x05, 0x3c, 0x40, 0x5b, 0xc1, 0x28, 0x06,
0xca, 0xa2, 0x50, 0xb4, 0x8a, 0xf0, 0x38, 0xf6, 0xbd, 0x54, 0x5f, 0x9b, 0x4e, 0x6a, 0x5b, 0xad,
0x19, 0x0d, 0x72, 0x47, 0x15, 0xbf, 0x8b, 0x6c, 0x16, 0x25, 0xb4, 0x0b, 0xad, 0x53, 0xe6, 0xa0,
0x9d, 0x52, 0xc3, 0x6e, 0xae, 0x8b, 0x97, 0x76, 0xa6, 0x8d, 0xc4, 0xf8, 0xf1, 0x05, 0xb2, 0x23,
0xd9, 0x57, 0x04, 0x2e, 0x9c, 0x35, 0x19, 0xcf, 0xc7, 0xee, 0xa2, 0xab, 0x41, 0xb5, 0x29, 0x81,
0x0b, 0xa0, 0x10, 0x76, 0x21, 0xbd, 0x27, 0x33, 0x12, 0x23, 0x8d, 0x07, 0x68, 0x83, 0x02, 0x8b,
0xa3, 0x90, 0xc1, 0x19, 0xf7, 0x79, 0xc2, 0x9c, 0x87, 0xf2, 0xb2, 0xdd, 0xc5, 0xda, 0x2f, 0xe5,
0x34, 0xf1, 0x74, 0x52, 0xdb, 0x20, 0x05, 0x1d, 0x32, 0xa3, 0x8b, 0x7d, 0xb4, 0xae, 0x5e, 0x71,
0x1a, 0x88, 0xb3, 0x2e, 0x2f, 0x6a, 0xcc, 0xbd, 0x48, 0xad, 0x00, 0xb7, 0x1d, 0x5e, 0x86, 0xd1,
0x4f, 0x61, 0xf3, 0xd1, 0x74, 0x52, 0x5b, 0x27, 0x79, 0x09, 0x52, 0x54, 0xc4, 0x3d, 0x93, 0x8c,
0xba, 0x63, 0xe3, 0x9e, 0x77, 0x14, 0x12, 0x51, 0x97, 0xcc, 0x68, 0xd6, 0xff, 0xb0, 0x90, 0x2d,
0xd7, 0xc8, 0x71, 0xc0, 0x38, 0xfe, 0xee, 0xce, 0x2a, 0x71, 0x17, 0x2b, 0x9d, 0x60, 0xcb, 0x45,
0xb2, 0xa5, 0xba, 0xb2, 0xa2, 0x2d, 0xb9, 0x35, 0x72, 0x8e, 0xca, 0x01, 0x87, 0x11, 0x73, 0x1e,
0xec, 0x94, 0x1a, 0x6b, 0x07, 0xde, 0xe2, 0x2d, 0x20, 0x23, 0x6c, 0xae, 0xeb, 0xe1, 0x6c, 0x09,
0x15, 0x92, 0x8a, 0xd5, 0x7f, 0xb7, 0xd0, 0xc6, 0x67, 0x34, 0x4a, 0x62, 0x02, 0x69, 0xc7, 0x31,
0xfc, 0x16, 0x2a, 0xf7, 0x85, 0x45, 0xe6, 0x60, 0x1b, 0x5e, 0x0a, 0x4b, 0x7d, 0xa2, 0x83, 0xa9,
0x66, 0xc8, 0x88, 0x54, 0x07, 0x67, 0x32, 0xc4, 0xf8, 0xf1, 0x47, 0xe2, 0x7d, 0xa7, 0x87, 0x13,
0x7f, 0x04, 0xcc, 0x29, 0x49, 0x82, 0x7a, 0x8b, 0x39, 0x07, 0x29, 0xe2, 0xea, 0xbf, 0x94, 0xd0,
0xe6, 0x4c, 0x03, 0xe3, 0x5d, 0x54, 0xd1, 0x20, 0x15, 0x61, 0x56, 0x35, 0xad, 0x45, 0x32, 0x04,
0xf6, 0x90, 0x1d, 0x0a, 0xa9, 0xd8, 0xef, 0x82, 0x5a, 0xc0, 0xd9, 0x8a, 0x3c, 0xd1, 0x0e, 0x62,
0x30, 0x62, 0xe1, 0x88, 0x83, 0x5c, 0xbd, 0xb9, 0x85, 0x23, 0xb0, 0x44, 0x7a, 0x70, 0x13, 0x95,
0x92, 0xa0, 0xa7, 0x16, 0xe8, 0x9e, 0x02, 0x94, 0xda, 0x8b, 0x2e, 0x4f, 0x41, 0x16, 0xab, 0xd0,
0x8f, 0x83, 0x67, 0x40, 0x59, 0x10, 0x85, 0x6a, 0x7b, 0x66, 0xab, 0xf0, 0xe8, 0xb4, 0xa5, 0x3c,
0x24, 0x87, 0xc2, 0x47, 0x68, 0x53, 0xa7, 0xa5, 0x89, 0xe9, 0x0e, 0x7d, 0x43, 0x11, 0x37, 0x49,
0xd1, 0x4d, 0x66, 0xf1, 0xf8, 0x03, 0xb4, 0xc6, 0x92, 0x4e, 0x56, 0xbe, 0x74, 0xa9, 0x3e, 0x56,
0xf4, 0xb5, 0x33, 0xe3, 0x22, 0x79, 0x5c, 0xfd, 0x6f, 0x0b, 0xad, 0x9c, 0x46, 0xc3, 0xa0, 0x7b,
0xf5, 0x0a, 0x3e, 0x97, 0x5f, 0xa3, 0x32, 0x4d, 0x86, 0xa0, 0xfb, 0xfc, 0x70, 0xf1, 0x3e, 0x4f,
0x43, 0x24, 0xc9, 0x10, 0x4c, 0xd3, 0x8a, 0x13, 0x23, 0xa9, 0x62, 0xfd, 0x4f, 0x0b, 0xa1, 0x14,
0xf4, 0x0a, 0xe6, 0xb5, 0x5d, 0x9c, 0xd7, 0xbd, 0xfb, 0xe6, 0x31, 0x67, 0x60, 0x7f, 0x2d, 0xe9,
0x1c, 0x44, 0x6a, 0xe6, 0xe7, 0xc2, 0x5a, 0xe4, 0xe7, 0xa2, 0x86, 0xca, 0xe2, 0x4b, 0xa7, 0x27,
0xd6, 0x16, 0x48, 0xf1, 0x41, 0x62, 0x24, 0xb5, 0x63, 0x17, 0x21, 0xf1, 0x20, 0x47, 0x5d, 0x8f,
0xe9, 0x86, 0x78, 0x55, 0xed, 0xcc, 0x4a, 0x72, 0x08, 0x21, 0x28, 0x3e, 0xc2, 0xcc, 0x59, 0x36,
0x82, 0xe2, 0xdb, 0xcc, 0x48, 0x6a, 0xc7, 0x41, 0x7e, 0x4f, 0x94, 0x65, 0x25, 0x9e, 0x2c, 0x5e,
0x89, 0xe2, 0x66, 0x32, 0x93, 0xfb, 0xd2, 0x2d, 0xe3, 0x22, 0x94, 0x8d, 0x31, 0x73, 0x56, 0x4c,
0xec, 0xd9, 0x9c, 0x33, 0x92, 0x43, 0xe0, 0x4f, 0xd0, 0x66, 0x18, 0x85, 0x5a, 0xaa, 0x4d, 0x8e,
0x99, 0xb3, 0x2a, 0x49, 0x8f, 0xc5, 0x2c, 0x9d, 0x14, 0x5d, 0x64, 0x16, 0xdb, 0x74, 0xaf, 0x6f,
0xaa, 0x4b, 0xcf, 0x6f, 0xaa, 0x4b, 0x2f, 0x6e, 0xaa, 0x4b, 0x3f, 0x4f, 0xab, 0xd6, 0xf5, 0xb4,
0x6a, 0x3d, 0x9f, 0x56, 0xad, 0x17, 0xd3, 0xaa, 0xf5, 0xcf, 0xb4, 0x6a, 0xfd, 0xf6, 0x6f, 0x75,
0xe9, 0x9b, 0x8a, 0xce, 0xe5, 0xbf, 0x00, 0x00, 0x00, 0xff, 0xff, 0x6c, 0x88, 0x4f, 0x33, 0x21,
0x0c, 0x00, 0x00,
// 1129 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0xcd, 0x6e, 0x23, 0x45,
0x10, 0xce, 0xac, 0xe3, 0x8d, 0xa7, 0xb3, 0xf9, 0xd9, 0x5e, 0xc4, 0x8e, 0x72, 0xb0, 0x83, 0x91,
0x90, 0x05, 0x61, 0x26, 0x09, 0x81, 0x5d, 0x0e, 0x1c, 0x62, 0x2d, 0x02, 0x4b, 0x21, 0x84, 0x4e,
0xbc, 0x12, 0x3f, 0x07, 0xc6, 0x76, 0xc5, 0x1e, 0xe2, 0xf9, 0xa1, 0xbb, 0xc7, 0x28, 0x37, 0x0e,
0x3c, 0x00, 0x77, 0x1e, 0x66, 0x85, 0x04, 0x52, 0x8e, 0x7b, 0xdc, 0x93, 0x45, 0xcc, 0x5b, 0xe4,
0x84, 0xba, 0xa7, 0x7b, 0x7a, 0xec, 0xac, 0x85, 0x73, 0xd9, 0xdb, 0x74, 0xd5, 0xf7, 0x7d, 0x5d,
0x55, 0x53, 0x55, 0x33, 0xe8, 0x9b, 0x8b, 0xa7, 0xcc, 0x0d, 0x62, 0xef, 0x22, 0xed, 0x00, 0x8d,
0x80, 0x03, 0xf3, 0x46, 0x10, 0xf5, 0x62, 0xea, 0x29, 0x87, 0x9f, 0x04, 0x0c, 0xe8, 0x08, 0xa8,
0x97, 0x5c, 0xf4, 0xe5, 0xc9, 0xf3, 0xd3, 0x5e, 0xc0, 0xbd, 0xd1, 0x9e, 0x3f, 0x4c, 0x06, 0xfe,
0x9e, 0xd7, 0x87, 0x08, 0xa8, 0xcf, 0xa1, 0xe7, 0x26, 0x34, 0xe6, 0x31, 0x6e, 0x64, 0x4c, 0x37,
0x67, 0xba, 0xc9, 0x45, 0x5f, 0x9e, 0x5c, 0xc9, 0x74, 0x35, 0x73, 0xeb, 0xc3, 0x7e, 0xc0, 0x07,
0x69, 0xc7, 0xed, 0xc6, 0xa1, 0xd7, 0x8f, 0xfb, 0xb1, 0x27, 0x05, 0x3a, 0xe9, 0xb9, 0x3c, 0xc9,
0x83, 0x7c, 0xca, 0x84, 0xb7, 0x76, 0x4c, 0x48, 0x9e, 0x9f, 0xf2, 0x01, 0x44, 0x3c, 0xe8, 0xfa,
0x3c, 0x88, 0x23, 0x6f, 0x74, 0x2b, 0x8c, 0xad, 0x03, 0x83, 0x0e, 0xfd, 0xee, 0x20, 0x88, 0x80,
0x5e, 0x9a, 0x1c, 0x42, 0xe0, 0xfe, 0xeb, 0x58, 0xde, 0x3c, 0x16, 0x4d, 0x23, 0x1e, 0x84, 0x70,
0x8b, 0xf0, 0xc9, 0xff, 0x11, 0x58, 0x77, 0x00, 0xa1, 0x7f, 0x8b, 0xf7, 0xd1, 0x3c, 0x5e, 0xca,
0x83, 0xa1, 0x17, 0x44, 0x9c, 0x71, 0x3a, 0x4b, 0xaa, 0xff, 0x55, 0x41, 0xe5, 0xcf, 0x47, 0x10,
0x71, 0xfc, 0x23, 0xaa, 0x88, 0x14, 0x7a, 0x3e, 0xf7, 0x1d, 0x6b, 0xdb, 0x6a, 0xac, 0xee, 0xef,
0xba, 0xa6, 0xee, 0xb9, 0xa2, 0x29, 0xbd, 0x40, 0xbb, 0xa3, 0x3d, 0xf7, 0xeb, 0xce, 0x4f, 0xd0,
0xe5, 0x5f, 0x01, 0xf7, 0x9b, 0xf8, 0x6a, 0x5c, 0x5b, 0x9a, 0x8c, 0x6b, 0xc8, 0xd8, 0x48, 0xae,
0x8a, 0x77, 0x50, 0x79, 0x08, 0x23, 0x18, 0x3a, 0xf7, 0xb6, 0xad, 0x86, 0xdd, 0x7c, 0x5b, 0x81,
0xcb, 0x47, 0xc2, 0x78, 0xa3, 0x1f, 0x48, 0x06, 0xc2, 0xdf, 0x23, 0x5b, 0x64, 0xcb, 0xb8, 0x1f,
0x26, 0x4e, 0x49, 0x06, 0xf4, 0xfe, 0x62, 0x01, 0x9d, 0x05, 0x21, 0x34, 0x1f, 0x2a, 0x75, 0xfb,
0x4c, 0x8b, 0x10, 0xa3, 0x87, 0x8f, 0xd1, 0x8a, 0xec, 0x9c, 0xd6, 0x33, 0x67, 0x59, 0x06, 0x73,
0xa0, 0xe0, 0x2b, 0x87, 0x99, 0xf9, 0x66, 0x5c, 0x7b, 0x67, 0x5e, 0x3d, 0xf9, 0x65, 0x02, 0xcc,
0x6d, 0xb7, 0x9e, 0x11, 0x2d, 0x22, 0x52, 0x63, 0xdc, 0xef, 0x83, 0x53, 0x9e, 0x4e, 0xed, 0x54,
0x18, 0x6f, 0xf4, 0x03, 0xc9, 0x40, 0x78, 0x1f, 0x21, 0x0a, 0x3f, 0xa7, 0xc0, 0x78, 0x9b, 0xb4,
0x9c, 0xfb, 0x92, 0x92, 0x97, 0x8e, 0xe4, 0x1e, 0x52, 0x40, 0xe1, 0x6d, 0xb4, 0x3c, 0x02, 0xda,
0x71, 0x56, 0x24, 0xfa, 0x81, 0x42, 0x2f, 0x3f, 0x07, 0xda, 0x21, 0xd2, 0x83, 0xbf, 0x44, 0xcb,
0x29, 0x03, 0xea, 0x54, 0x64, 0xad, 0xde, 0x2b, 0xd4, 0xca, 0x9d, 0xee, 0x6d, 0x51, 0xa3, 0x36,
0x03, 0xda, 0x8a, 0xce, 0x63, 0xa3, 0x24, 0x2c, 0x44, 0x2a, 0xe0, 0x01, 0xda, 0x0c, 0xc2, 0x04,
0x28, 0x8b, 0x23, 0xd1, 0x2a, 0xc2, 0xe3, 0xd8, 0x77, 0x52, 0x7d, 0x6b, 0x32, 0xae, 0x6d, 0xb6,
0x66, 0x34, 0xc8, 0x2d, 0x55, 0xfc, 0x01, 0xb2, 0x59, 0x9c, 0xd2, 0x2e, 0xb4, 0x4e, 0x98, 0x83,
0xb6, 0x4b, 0x0d, 0xbb, 0xb9, 0x26, 0x5e, 0xda, 0xa9, 0x36, 0x12, 0xe3, 0xc7, 0xe7, 0xc8, 0x8e,
0x65, 0x5f, 0x11, 0x38, 0x77, 0x56, 0x65, 0x3c, 0x9f, 0xba, 0x8b, 0xae, 0x06, 0xd5, 0xa6, 0x04,
0xce, 0x81, 0x42, 0xd4, 0x85, 0xec, 0x9e, 0xdc, 0x48, 0x8c, 0x34, 0x1e, 0xa0, 0x75, 0x0a, 0x2c,
0x89, 0x23, 0x06, 0xa7, 0xdc, 0xe7, 0x29, 0x73, 0x1e, 0xc8, 0xcb, 0x76, 0x16, 0x6b, 0xbf, 0x8c,
0xd3, 0xc4, 0x93, 0x71, 0x6d, 0x9d, 0x4c, 0xe9, 0x90, 0x19, 0x5d, 0xec, 0xa3, 0x35, 0xf5, 0x8a,
0xb3, 0x40, 0x9c, 0x35, 0x79, 0x51, 0x63, 0xee, 0x45, 0x6a, 0x05, 0xb8, 0xed, 0xe8, 0x22, 0x8a,
0x7f, 0x89, 0x9a, 0x0f, 0x27, 0xe3, 0xda, 0x1a, 0x29, 0x4a, 0x90, 0x69, 0x45, 0xdc, 0x33, 0xc9,
0xa8, 0x3b, 0xd6, 0xef, 0x78, 0xc7, 0x54, 0x22, 0xea, 0x92, 0x19, 0xcd, 0xfa, 0x0b, 0x0b, 0xd9,
0x72, 0x8d, 0x1c, 0x05, 0x8c, 0xe3, 0x1f, 0x6e, 0xad, 0x12, 0x77, 0xb1, 0xd2, 0x09, 0xb6, 0x5c,
0x24, 0x9b, 0xaa, 0x2b, 0x2b, 0xda, 0x52, 0x58, 0x23, 0x67, 0xa8, 0x1c, 0x70, 0x08, 0x99, 0x73,
0x6f, 0xbb, 0xd4, 0x58, 0xdd, 0xf7, 0x16, 0x6f, 0x01, 0x19, 0x61, 0x73, 0x4d, 0x0f, 0x67, 0x4b,
0xa8, 0x90, 0x4c, 0xac, 0xfe, 0x87, 0x85, 0xd6, 0xbf, 0xa0, 0x71, 0x9a, 0x10, 0xc8, 0x3a, 0x8e,
0xe1, 0x77, 0x51, 0xb9, 0x2f, 0x2c, 0x32, 0x07, 0xdb, 0xf0, 0x32, 0x58, 0xe6, 0x13, 0x1d, 0x4c,
0x35, 0x43, 0x46, 0xa4, 0x3a, 0x38, 0x97, 0x21, 0xc6, 0x8f, 0x9f, 0x88, 0xf7, 0x9d, 0x1d, 0x8e,
0xfd, 0x10, 0x98, 0x53, 0x92, 0x04, 0xf5, 0x16, 0x0b, 0x0e, 0x32, 0x8d, 0xab, 0xff, 0x56, 0x42,
0x1b, 0x33, 0x0d, 0x8c, 0x77, 0x50, 0x45, 0x83, 0x54, 0x84, 0x79, 0xd5, 0xb4, 0x16, 0xc9, 0x11,
0xd8, 0x43, 0x76, 0x24, 0xa4, 0x12, 0xbf, 0x0b, 0x6a, 0x01, 0xe7, 0x2b, 0xf2, 0x58, 0x3b, 0x88,
0xc1, 0x88, 0x85, 0x23, 0x0e, 0x72, 0xf5, 0x16, 0x16, 0x8e, 0xc0, 0x12, 0xe9, 0xc1, 0x4d, 0x54,
0x4a, 0x83, 0x9e, 0x5a, 0xa0, 0xbb, 0x0a, 0x50, 0x6a, 0x2f, 0xba, 0x3c, 0x05, 0x59, 0xac, 0x42,
0x3f, 0x09, 0x9e, 0x03, 0x65, 0x41, 0x1c, 0xa9, 0xed, 0x99, 0xaf, 0xc2, 0xc3, 0x93, 0x96, 0xf2,
0x90, 0x02, 0x0a, 0x1f, 0xa2, 0x0d, 0x9d, 0x96, 0x26, 0x66, 0x3b, 0xf4, 0xb1, 0x22, 0x6e, 0x90,
0x69, 0x37, 0x99, 0xc5, 0xe3, 0x8f, 0xd1, 0x2a, 0x4b, 0x3b, 0x79, 0xf9, 0xb2, 0xa5, 0xfa, 0x48,
0xd1, 0x57, 0x4f, 0x8d, 0x8b, 0x14, 0x71, 0xf5, 0xbf, 0x2d, 0x74, 0xff, 0x24, 0x1e, 0x06, 0xdd,
0xcb, 0x37, 0xf0, 0xb9, 0xfc, 0x16, 0x95, 0x69, 0x3a, 0x04, 0xdd, 0xe7, 0x07, 0x8b, 0xf7, 0x79,
0x16, 0x22, 0x49, 0x87, 0x60, 0x9a, 0x56, 0x9c, 0x18, 0xc9, 0x14, 0xeb, 0x7f, 0x5a, 0x08, 0x65,
0xa0, 0x37, 0x30, 0xaf, 0xed, 0xe9, 0x79, 0xdd, 0xbd, 0x6b, 0x1e, 0x73, 0x06, 0xf6, 0x45, 0x49,
0xe7, 0x20, 0x52, 0x33, 0x3f, 0x17, 0xd6, 0x22, 0x3f, 0x17, 0x35, 0x54, 0x16, 0x5f, 0x3a, 0x3d,
0xb1, 0xb6, 0x40, 0x8a, 0x0f, 0x12, 0x23, 0x99, 0x1d, 0xbb, 0x08, 0x89, 0x07, 0x39, 0xea, 0x7a,
0x4c, 0xd7, 0xc5, 0xab, 0x6a, 0xe7, 0x56, 0x52, 0x40, 0x08, 0x41, 0xf1, 0x11, 0x66, 0xce, 0xb2,
0x11, 0x14, 0xdf, 0x66, 0x46, 0x32, 0x3b, 0x0e, 0x8a, 0x7b, 0xa2, 0x2c, 0x2b, 0xf1, 0x74, 0xf1,
0x4a, 0x4c, 0x6f, 0x26, 0x33, 0xb9, 0xaf, 0xdd, 0x32, 0x2e, 0x42, 0xf9, 0x18, 0x33, 0xe7, 0xbe,
0x89, 0x3d, 0x9f, 0x73, 0x46, 0x0a, 0x08, 0xfc, 0x19, 0xda, 0x88, 0xe2, 0x48, 0x4b, 0xb5, 0xc9,
0x11, 0x73, 0x56, 0x24, 0xe9, 0x91, 0x98, 0xa5, 0xe3, 0x69, 0x17, 0x99, 0xc5, 0xe2, 0x27, 0x08,
0xc5, 0x61, 0xc0, 0xe5, 0x1f, 0x0e, 0x73, 0x2a, 0x92, 0xf9, 0x58, 0x76, 0x75, 0x6e, 0x35, 0x7f,
0x40, 0x05, 0x68, 0xd3, 0xbd, 0xba, 0xae, 0x2e, 0xbd, 0xbc, 0xae, 0x2e, 0xbd, 0xba, 0xae, 0x2e,
0xfd, 0x3a, 0xa9, 0x5a, 0x57, 0x93, 0xaa, 0xf5, 0x72, 0x52, 0xb5, 0x5e, 0x4d, 0xaa, 0xd6, 0x3f,
0x93, 0xaa, 0xf5, 0xfb, 0xbf, 0xd5, 0xa5, 0xef, 0x2a, 0xba, 0x08, 0xff, 0x05, 0x00, 0x00, 0xff,
0xff, 0x92, 0xdb, 0xa5, 0x50, 0x5a, 0x0c, 0x00, 0x00,
}

4
staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.proto
View File

@ -205,5 +205,9 @@ message PolicyRule {
// "/healthz*" - Log all health checks
// +optional
repeated string nonResourceURLs = 7;
// OmitStages specify events generated in which stages will not be emitted to backend.
// An empty list means no restrictions will apply.
repeated string omitStages = 8;
}

4
staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go
View File

@ -208,6 +208,10 @@ type PolicyRule struct {
// "/healthz*" - Log all health checks
// +optional
NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,7,rep,name=nonResourceURLs"`
// OmitStages specify events generated in which stages will not be emitted to backend.
// An empty list means no restrictions will apply.
OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"`
}
// GroupResources represents resource kinds in an API group.

2
staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.conversion.go
View File

@ -264,6 +264,7 @@ func autoConvert_v1alpha1_PolicyRule_To_audit_PolicyRule(in *PolicyRule, out *au
out.Resources = *(*[]audit.GroupResources)(unsafe.Pointer(&in.Resources))
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs))
out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages))
return nil
}
@ -280,6 +281,7 @@ func autoConvert_audit_PolicyRule_To_v1alpha1_PolicyRule(in *audit.PolicyRule, o
out.Resources = *(*[]GroupResources)(unsafe.Pointer(&in.Resources))
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs))
out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages))
return nil
}

5
staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go
View File

@ -327,6 +327,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.OmitStages != nil {
in, out := &in.OmitStages, &out.OmitStages
*out = make([]Stage, len(*in))
copy(*out, *in)
}
return
}

195
staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.pb.go
View File

@ -547,6 +547,21 @@ func (m *PolicyRule) MarshalTo(dAtA []byte) (int, error) {
i += copy(dAtA[i:], s)
}
}
if len(m.OmitStages) > 0 {
for _, s := range m.OmitStages {
dAtA[i] = 0x42
i++
l = len(s)
for l >= 1<<7 {
dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
l >>= 7
i++
}
dAtA[i] = uint8(l)
i++
i += copy(dAtA[i:], s)
}
}
return i, nil
}
@ -750,6 +765,12 @@ func (m *PolicyRule) Size() (n int) {
n += 1 + l + sovGenerated(uint64(l))
}
}
if len(m.OmitStages) > 0 {
for _, s := range m.OmitStages {
l = len(s)
n += 1 + l + sovGenerated(uint64(l))
}
}
return n
}
@ -863,6 +884,7 @@ func (this *PolicyRule) String() string {
`Resources:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Resources), "GroupResources", "GroupResources", 1), `&`, ``, 1) + `,`,
`Namespaces:` + fmt.Sprintf("%v", this.Namespaces) + `,`,
`NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`,
`OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`,
`}`,
}, "")
return s
@ -2340,6 +2362,35 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error {
}
m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex]))
iNdEx = postIndex
case 8:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field OmitStages", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
stringLen |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex]))
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
@ -2471,76 +2522,78 @@ func init() {
}
var fileDescriptorGenerated = []byte{
// 1131 bytes of a gzipped FileDescriptorProto
// 1153 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4f, 0x6f, 0x1b, 0x45,
0x14, 0xcf, 0xd6, 0x71, 0xe2, 0x9d, 0x34, 0x7f, 0x3a, 0x45, 0xb0, 0xca, 0xc1, 0x0e, 0x46, 0x82,
0x08, 0xd2, 0xdd, 0xa6, 0x2d, 0x34, 0x17, 0x0e, 0xb1, 0x8a, 0xc0, 0x52, 0x08, 0xd1, 0x24, 0xae,
0x10, 0x70, 0x60, 0x6c, 0xbf, 0xd8, 0x4b, 0xec, 0xdd, 0x65, 0x66, 0xd6, 0x28, 0x37, 0x2e, 0xdc,
0xb9, 0xf3, 0x2d, 0xf8, 0x00, 0x08, 0x09, 0x0e, 0x39, 0xf6, 0xd8, 0x93, 0x45, 0xcc, 0xb7, 0xc8,
0x09, 0xcd, 0xec, 0xec, 0xce, 0xae, 0x5d, 0x53, 0xe7, 0xd2, 0x9b, 0xe7, 0xbd, 0xdf, 0xef, 0x37,
0xef, 0xbd, 0x79, 0xef, 0xad, 0xd1, 0xc9, 0xc5, 0x01, 0x77, 0xfd, 0xd0, 0xbb, 0x88, 0xdb, 0xc0,
0x02, 0x10, 0xc0, 0xbd, 0x11, 0x04, 0xdd, 0x90, 0x79, 0xda, 0x41, 0x23, 0x9f, 0x03, 0x1b, 0x01,
0xf3, 0xa2, 0x8b, 0x9e, 0x3a, 0x79, 0x34, 0xee, 0xfa, 0xc2, 0x1b, 0xed, 0xb7, 0x41, 0xd0, 0x7d,
0xaf, 0x07, 0x01, 0x30, 0x2a, 0xa0, 0xeb, 0x46, 0x2c, 0x14, 0x21, 0xfe, 0x20, 0x21, 0xba, 0x19,
0xd1, 0x8d, 0x2e, 0x7a, 0xea, 0xe4, 0x2a, 0xa2, 0xab, 0x89, 0xdb, 0x0f, 0x7a, 0xbe, 0xe8, 0xc7,
0x6d, 0xb7, 0x13, 0x0e, 0xbd, 0x5e, 0xd8, 0x0b, 0x3d, 0xc5, 0x6f, 0xc7, 0xe7, 0xea, 0xa4, 0x0e,
0xea, 0x57, 0xa2, 0xbb, 0xbd, 0x67, 0x02, 0xf2, 0x68, 0x2c, 0xfa, 0x10, 0x08, 0xbf, 0x43, 0x85,
0x1f, 0x06, 0xde, 0x68, 0x26, 0x8a, 0xed, 0x27, 0x06, 0x3d, 0xa4, 0x9d, 0xbe, 0x1f, 0x00, 0xbb,
0x34, 0x19, 0x0c, 0x41, 0xd0, 0x57, 0xb1, 0xbc, 0x79, 0x2c, 0x16, 0x07, 0xc2, 0x1f, 0xc2, 0x0c,
0xe1, 0x93, 0xd7, 0x11, 0x78, 0xa7, 0x0f, 0x43, 0x3a, 0xc3, 0x7b, 0x3c, 0x8f, 0x17, 0x0b, 0x7f,
0xe0, 0xf9, 0x81, 0xe0, 0x82, 0xcd, 0x90, 0x0e, 0x5e, 0xff, 0x24, 0x74, 0x10, 0xf5, 0x67, 0xdf,
0xa4, 0xfe, 0x57, 0x05, 0x95, 0x3f, 0x1b, 0x41, 0x20, 0xf0, 0xf7, 0xa8, 0x22, 0x93, 0xef, 0x52,
0x41, 0x1d, 0x6b, 0xc7, 0xda, 0x5d, 0x7b, 0xf4, 0xd0, 0x35, 0x0f, 0x96, 0xc5, 0x62, 0xde, 0x4c,
0xa2, 0xdd, 0xd1, 0xbe, 0xfb, 0x55, 0xfb, 0x07, 0xe8, 0x88, 0x2f, 0x41, 0xd0, 0x06, 0xbe, 0x1a,
0xd7, 0x96, 0x26, 0xe3, 0x1a, 0x32, 0x36, 0x92, 0xa9, 0xe2, 0x3d, 0x54, 0x1e, 0xc0, 0x08, 0x06,
0xce, 0x9d, 0x1d, 0x6b, 0xd7, 0x6e, 0xbc, 0xad, 0xc1, 0xe5, 0x23, 0x69, 0xbc, 0x49, 0x7f, 0x90,
0x04, 0x84, 0xbf, 0x45, 0xb6, 0xac, 0x13, 0x17, 0x74, 0x18, 0x39, 0x25, 0x15, 0xd0, 0x87, 0x8b,
0x05, 0x74, 0xe6, 0x0f, 0xa1, 0x71, 0x4f, 0xab, 0xdb, 0x67, 0xa9, 0x08, 0x31, 0x7a, 0xf8, 0x18,
0xad, 0xaa, 0xc2, 0x34, 0x9f, 0x39, 0xcb, 0x2a, 0x98, 0x27, 0x1a, 0xbe, 0x7a, 0x98, 0x98, 0x6f,
0xc6, 0xb5, 0x77, 0xe7, 0xbd, 0x84, 0xb8, 0x8c, 0x80, 0xbb, 0xad, 0xe6, 0x33, 0x92, 0x8a, 0xc8,
0xd4, 0xb8, 0xa0, 0x3d, 0x70, 0xca, 0xc5, 0xd4, 0x4e, 0xa5, 0xf1, 0x26, 0xfd, 0x41, 0x12, 0x10,
0x7e, 0x84, 0x10, 0x83, 0x1f, 0x63, 0xe0, 0xa2, 0x45, 0x9a, 0xce, 0x8a, 0xa2, 0x64, 0xa5, 0x23,
0x99, 0x87, 0xe4, 0x50, 0x78, 0x07, 0x2d, 0x8f, 0x80, 0xb5, 0x9d, 0x55, 0x85, 0xbe, 0xab, 0xd1,
0xcb, 0xcf, 0x81, 0xb5, 0x89, 0xf2, 0xe0, 0x2f, 0xd0, 0x72, 0xcc, 0x81, 0x39, 0x15, 0x55, 0xab,
0xf7, 0x73, 0xb5, 0x72, 0x8b, 0x53, 0x21, 0x6b, 0xd4, 0xe2, 0xc0, 0x9a, 0xc1, 0x79, 0x68, 0x94,
0xa4, 0x85, 0x28, 0x05, 0xdc, 0x47, 0x5b, 0xfe, 0x30, 0x02, 0xc6, 0xc3, 0x40, 0xb6, 0x8a, 0xf4,
0x38, 0xf6, 0xad, 0x54, 0xdf, 0x9a, 0x8c, 0x6b, 0x5b, 0xcd, 0x29, 0x0d, 0x32, 0xa3, 0x8a, 0x3f,
0x42, 0x36, 0x0f, 0x63, 0xd6, 0x81, 0xe6, 0x09, 0x77, 0xd0, 0x4e, 0x69, 0xd7, 0x6e, 0xac, 0xcb,
0x47, 0x3b, 0x4d, 0x8d, 0xc4, 0xf8, 0x31, 0x20, 0x3b, 0x54, 0x7d, 0x45, 0xe0, 0xdc, 0x59, 0x53,
0xf1, 0x1c, 0xb8, 0x0b, 0xee, 0x14, 0xdd, 0xa5, 0x04, 0xce, 0x81, 0x41, 0xd0, 0x81, 0xe4, 0x9a,
0xcc, 0x48, 0x8c, 0x32, 0xee, 0xa3, 0x0d, 0x06, 0x3c, 0x0a, 0x03, 0x0e, 0xa7, 0x82, 0x8a, 0x98,
0x3b, 0x77, 0xd5, 0x5d, 0x7b, 0x8b, 0x75, 0x5f, 0xc2, 0x69, 0xe0, 0xc9, 0xb8, 0xb6, 0x41, 0x0a,
0x3a, 0x64, 0x4a, 0x17, 0x53, 0xb4, 0xae, 0x5f, 0x38, 0x09, 0xc4, 0x59, 0x57, 0x17, 0xed, 0xce,
0xbd, 0x48, 0xef, 0x0e, 0xb7, 0x15, 0x5c, 0x04, 0xe1, 0x4f, 0x41, 0xe3, 0xde, 0x64, 0x5c, 0x5b,
0x27, 0x79, 0x09, 0x52, 0x54, 0xc4, 0x5d, 0x93, 0x8c, 0xbe, 0x63, 0xe3, 0x96, 0x77, 0x14, 0x12,
0xd1, 0x97, 0x4c, 0x69, 0xd6, 0xff, 0xb0, 0x90, 0xad, 0xb6, 0xc8, 0x91, 0xcf, 0x05, 0xfe, 0x6e,
0x66, 0x93, 0xb8, 0x8b, 0x95, 0x4e, 0xb2, 0xd5, 0x1e, 0xd9, 0xd2, 0x4d, 0x59, 0x49, 0x2d, 0xb9,
0x2d, 0x72, 0x8a, 0xca, 0xbe, 0x80, 0x21, 0x77, 0xee, 0xec, 0x94, 0xa6, 0xa4, 0xff, 0xbf, 0x03,
0x54, 0x80, 0x8d, 0xf5, 0x74, 0x34, 0x9b, 0x52, 0x84, 0x24, 0x5a, 0xf5, 0xdf, 0x2c, 0xb4, 0xf1,
0x39, 0x0b, 0xe3, 0x88, 0x40, 0xd2, 0x6f, 0x1c, 0xbf, 0x87, 0xca, 0x3d, 0x69, 0x51, 0x29, 0xd8,
0x86, 0x97, 0xc0, 0x12, 0x9f, 0xec, 0x5f, 0x96, 0x32, 0x54, 0x40, 0xba, 0x7f, 0x33, 0x19, 0x62,
0xfc, 0xf8, 0xa9, 0x7c, 0xee, 0xe4, 0x70, 0x4c, 0x87, 0xc0, 0x9d, 0x92, 0x22, 0xe8, 0x47, 0xcc,
0x39, 0x48, 0x11, 0x57, 0xff, 0xbd, 0x84, 0x36, 0xa7, 0xfa, 0x17, 0xef, 0xa1, 0x4a, 0x0a, 0xd2,
0x11, 0x66, 0x45, 0x4b, 0xb5, 0x48, 0x86, 0xc0, 0x1e, 0xb2, 0x03, 0x29, 0x15, 0xd1, 0x0e, 0xe8,
0xf5, 0x9b, 0x2d, 0xc8, 0xe3, 0xd4, 0x41, 0x0c, 0x46, 0xae, 0x1b, 0x79, 0x50, 0x8b, 0x37, 0xb7,
0x6e, 0x24, 0x96, 0x28, 0x0f, 0x6e, 0xa0, 0x52, 0xec, 0x77, 0xf5, 0xfa, 0x7c, 0xa8, 0x01, 0xa5,
0xd6, 0xa2, 0xab, 0x53, 0x92, 0x65, 0x12, 0x34, 0xf2, 0x55, 0x45, 0xf5, 0xe6, 0xcc, 0x92, 0x38,
0x3c, 0x69, 0x26, 0x95, 0xce, 0x10, 0x72, 0x6d, 0xd2, 0xc8, 0x7f, 0x0e, 0x8c, 0xfb, 0x61, 0x30,
0xbd, 0x36, 0x0f, 0x4f, 0x9a, 0xda, 0x43, 0x72, 0x28, 0x7c, 0x88, 0x36, 0xd3, 0x22, 0xa4, 0xc4,
0x64, 0x83, 0xbe, 0xa3, 0x89, 0x9b, 0xa4, 0xe8, 0x26, 0xd3, 0x78, 0xfc, 0x31, 0x5a, 0xe3, 0x71,
0x3b, 0x2b, 0x76, 0x45, 0xd1, 0xef, 0x6b, 0xfa, 0xda, 0xa9, 0x71, 0x91, 0x3c, 0xae, 0xfe, 0xb7,
0x85, 0x56, 0x4e, 0xc2, 0x81, 0xdf, 0xb9, 0x7c, 0x03, 0x9f, 0xd6, 0xaf, 0x51, 0x99, 0xc5, 0x03,
0x48, 0x87, 0xe2, 0xf1, 0xc2, 0x43, 0x91, 0x44, 0x48, 0xe2, 0x01, 0x98, 0x0e, 0x97, 0x27, 0x4e,
0x12, 0xc1, 0xfa, 0x9f, 0x16, 0x42, 0x09, 0xe8, 0x0d, 0xcc, 0xf6, 0x59, 0x71, 0xb6, 0xbd, 0x5b,
0xa6, 0x31, 0x67, 0xb8, 0x7f, 0x29, 0xa5, 0x29, 0xc8, 0xcc, 0xcc, 0xdf, 0x10, 0x6b, 0x91, 0xbf,
0x21, 0x35, 0x54, 0x96, 0xdf, 0xc4, 0x74, 0xba, 0x6d, 0x89, 0x94, 0x9f, 0x2e, 0x4e, 0x12, 0x3b,
0x76, 0x11, 0x92, 0x3f, 0x54, 0x8b, 0xa6, 0x23, 0xbd, 0x21, 0x1f, 0xaa, 0x95, 0x59, 0x49, 0x0e,
0x21, 0x05, 0xe5, 0xe7, 0x9a, 0x3b, 0xcb, 0x46, 0x50, 0x7e, 0xc5, 0x39, 0x49, 0xec, 0xb8, 0x9f,
0xdf, 0x29, 0x65, 0x55, 0x88, 0xa7, 0x0b, 0x17, 0xa2, 0xb8, 0xc4, 0xcc, 0x90, 0xbf, 0x72, 0x21,
0xb9, 0x08, 0x65, 0x13, 0xcf, 0x9d, 0x15, 0x13, 0x7a, 0xb6, 0x12, 0x38, 0xc9, 0x21, 0xf0, 0xa7,
0x68, 0x33, 0x08, 0x83, 0x54, 0xaa, 0x45, 0x8e, 0xb8, 0xb3, 0xaa, 0x48, 0xf7, 0xe5, 0x20, 0x1d,
0x17, 0x5d, 0x64, 0x1a, 0xdb, 0x78, 0x70, 0x75, 0x5d, 0x5d, 0x7a, 0x71, 0x5d, 0x5d, 0x7a, 0x79,
0x5d, 0x5d, 0xfa, 0x79, 0x52, 0xb5, 0xae, 0x26, 0x55, 0xeb, 0xc5, 0xa4, 0x6a, 0xbd, 0x9c, 0x54,
0xad, 0x7f, 0x26, 0x55, 0xeb, 0xd7, 0x7f, 0xab, 0x4b, 0xdf, 0xac, 0xea, 0x54, 0xfe, 0x0b, 0x00,
0x00, 0xff, 0xff, 0x88, 0x33, 0xe9, 0x19, 0x81, 0x0c, 0x00, 0x00,
0x14, 0xcf, 0xd6, 0x71, 0xe2, 0x9d, 0x34, 0x7f, 0x3a, 0x45, 0x74, 0x95, 0x83, 0x1d, 0x8c, 0x04,
0x11, 0xa4, 0xbb, 0x4d, 0x5b, 0x48, 0x2e, 0x1c, 0x62, 0x15, 0x81, 0xa5, 0x10, 0xa2, 0x49, 0x5c,
0x21, 0xe0, 0xc0, 0xd8, 0x7e, 0xb1, 0x97, 0x78, 0xff, 0x30, 0x33, 0x6b, 0x94, 0x1b, 0x1f, 0x81,
0x3b, 0xdf, 0x82, 0x0f, 0x50, 0x21, 0xc1, 0x21, 0xc7, 0x1e, 0x7b, 0xb2, 0x88, 0xf9, 0x16, 0x39,
0xa1, 0x99, 0x9d, 0xdd, 0x59, 0xdb, 0x4d, 0xeb, 0x5c, 0x7a, 0xdb, 0x7d, 0xef, 0xf7, 0xfb, 0xcd,
0x7b, 0x6f, 0xde, 0x7b, 0xbb, 0xe8, 0xf8, 0x7c, 0x9f, 0xbb, 0x7e, 0xe4, 0x9d, 0x27, 0x6d, 0x60,
0x21, 0x08, 0xe0, 0xde, 0x10, 0xc2, 0x6e, 0xc4, 0x3c, 0xed, 0xa0, 0xb1, 0xcf, 0x81, 0x0d, 0x81,
0x79, 0xf1, 0x79, 0x4f, 0xbd, 0x79, 0x34, 0xe9, 0xfa, 0xc2, 0x1b, 0xee, 0xb6, 0x41, 0xd0, 0x5d,
0xaf, 0x07, 0x21, 0x30, 0x2a, 0xa0, 0xeb, 0xc6, 0x2c, 0x12, 0x11, 0xfe, 0x38, 0x25, 0xba, 0x39,
0xd1, 0x8d, 0xcf, 0x7b, 0xea, 0xcd, 0x55, 0x44, 0x57, 0x13, 0x37, 0x1f, 0xf6, 0x7c, 0xd1, 0x4f,
0xda, 0x6e, 0x27, 0x0a, 0xbc, 0x5e, 0xd4, 0x8b, 0x3c, 0xc5, 0x6f, 0x27, 0x67, 0xea, 0x4d, 0xbd,
0xa8, 0xa7, 0x54, 0x77, 0x73, 0xc7, 0x04, 0xe4, 0xd1, 0x44, 0xf4, 0x21, 0x14, 0x7e, 0x87, 0x0a,
0x3f, 0x0a, 0xbd, 0xe1, 0x4c, 0x14, 0x9b, 0x4f, 0x0d, 0x3a, 0xa0, 0x9d, 0xbe, 0x1f, 0x02, 0xbb,
0x30, 0x19, 0x04, 0x20, 0xe8, 0xeb, 0x58, 0xde, 0x4d, 0x2c, 0x96, 0x84, 0xc2, 0x0f, 0x60, 0x86,
0xf0, 0xf9, 0xdb, 0x08, 0xbc, 0xd3, 0x87, 0x80, 0xce, 0xf0, 0x9e, 0xdc, 0xc4, 0x4b, 0x84, 0x3f,
0xf0, 0xfc, 0x50, 0x70, 0xc1, 0x66, 0x48, 0xfb, 0x6f, 0xbf, 0x12, 0x3a, 0x88, 0xfb, 0xb3, 0x77,
0x52, 0xff, 0xbb, 0x82, 0xca, 0x5f, 0x0e, 0x21, 0x14, 0xf8, 0x27, 0x54, 0x91, 0xc9, 0x77, 0xa9,
0xa0, 0x8e, 0xb5, 0x65, 0x6d, 0xaf, 0x3c, 0x7e, 0xe4, 0x9a, 0x0b, 0xcb, 0x63, 0x31, 0x77, 0x26,
0xd1, 0xee, 0x70, 0xd7, 0xfd, 0xb6, 0xfd, 0x33, 0x74, 0xc4, 0x37, 0x20, 0x68, 0x03, 0x5f, 0x8e,
0x6a, 0x0b, 0xe3, 0x51, 0x0d, 0x19, 0x1b, 0xc9, 0x55, 0xf1, 0x0e, 0x2a, 0x0f, 0x60, 0x08, 0x03,
0xe7, 0xce, 0x96, 0xb5, 0x6d, 0x37, 0xde, 0xd7, 0xe0, 0xf2, 0xa1, 0x34, 0x5e, 0x67, 0x0f, 0x24,
0x05, 0xe1, 0x1f, 0x90, 0x2d, 0xeb, 0xc4, 0x05, 0x0d, 0x62, 0xa7, 0xa4, 0x02, 0xfa, 0x64, 0xbe,
0x80, 0x4e, 0xfd, 0x00, 0x1a, 0xf7, 0xb4, 0xba, 0x7d, 0x9a, 0x89, 0x10, 0xa3, 0x87, 0x8f, 0xd0,
0xb2, 0x2a, 0x4c, 0xf3, 0x99, 0xb3, 0xa8, 0x82, 0x79, 0xaa, 0xe1, 0xcb, 0x07, 0xa9, 0xf9, 0x7a,
0x54, 0xfb, 0xe0, 0xa6, 0x9b, 0x10, 0x17, 0x31, 0x70, 0xb7, 0xd5, 0x7c, 0x46, 0x32, 0x11, 0x99,
0x1a, 0x17, 0xb4, 0x07, 0x4e, 0x79, 0x32, 0xb5, 0x13, 0x69, 0xbc, 0xce, 0x1e, 0x48, 0x0a, 0xc2,
0x8f, 0x11, 0x62, 0xf0, 0x4b, 0x02, 0x5c, 0xb4, 0x48, 0xd3, 0x59, 0x52, 0x94, 0xbc, 0x74, 0x24,
0xf7, 0x90, 0x02, 0x0a, 0x6f, 0xa1, 0xc5, 0x21, 0xb0, 0xb6, 0xb3, 0xac, 0xd0, 0x77, 0x35, 0x7a,
0xf1, 0x39, 0xb0, 0x36, 0x51, 0x1e, 0xfc, 0x35, 0x5a, 0x4c, 0x38, 0x30, 0xa7, 0xa2, 0x6a, 0xf5,
0x51, 0xa1, 0x56, 0xee, 0xe4, 0x54, 0xc8, 0x1a, 0xb5, 0x38, 0xb0, 0x66, 0x78, 0x16, 0x19, 0x25,
0x69, 0x21, 0x4a, 0x01, 0xf7, 0xd1, 0x86, 0x1f, 0xc4, 0xc0, 0x78, 0x14, 0xca, 0x56, 0x91, 0x1e,
0xc7, 0xbe, 0x95, 0xea, 0x7b, 0xe3, 0x51, 0x6d, 0xa3, 0x39, 0xa5, 0x41, 0x66, 0x54, 0xf1, 0xa7,
0xc8, 0xe6, 0x51, 0xc2, 0x3a, 0xd0, 0x3c, 0xe6, 0x0e, 0xda, 0x2a, 0x6d, 0xdb, 0x8d, 0x55, 0x79,
0x69, 0x27, 0x99, 0x91, 0x18, 0x3f, 0x06, 0x64, 0x47, 0xaa, 0xaf, 0x08, 0x9c, 0x39, 0x2b, 0x2a,
0x9e, 0x7d, 0x77, 0xce, 0x9d, 0xa2, 0xbb, 0x94, 0xc0, 0x19, 0x30, 0x08, 0x3b, 0x90, 0x1e, 0x93,
0x1b, 0x89, 0x51, 0xc6, 0x7d, 0xb4, 0xc6, 0x80, 0xc7, 0x51, 0xc8, 0xe1, 0x44, 0x50, 0x91, 0x70,
0xe7, 0xae, 0x3a, 0x6b, 0x67, 0xbe, 0xee, 0x4b, 0x39, 0x0d, 0x3c, 0x1e, 0xd5, 0xd6, 0xc8, 0x84,
0x0e, 0x99, 0xd2, 0xc5, 0x14, 0xad, 0xea, 0x1b, 0x4e, 0x03, 0x71, 0x56, 0xd5, 0x41, 0xdb, 0x37,
0x1e, 0xa4, 0x77, 0x87, 0xdb, 0x0a, 0xcf, 0xc3, 0xe8, 0xd7, 0xb0, 0x71, 0x6f, 0x3c, 0xaa, 0xad,
0x92, 0xa2, 0x04, 0x99, 0x54, 0xc4, 0x5d, 0x93, 0x8c, 0x3e, 0x63, 0xed, 0x96, 0x67, 0x4c, 0x24,
0xa2, 0x0f, 0x99, 0xd2, 0xac, 0xbf, 0xb0, 0x90, 0xad, 0xb6, 0xc8, 0xa1, 0xcf, 0x05, 0xfe, 0x71,
0x66, 0x93, 0xb8, 0xf3, 0x95, 0x4e, 0xb2, 0xd5, 0x1e, 0xd9, 0xd0, 0x4d, 0x59, 0xc9, 0x2c, 0x85,
0x2d, 0x72, 0x82, 0xca, 0xbe, 0x80, 0x80, 0x3b, 0x77, 0xb6, 0x4a, 0x53, 0xd2, 0x6f, 0xee, 0x00,
0x15, 0x60, 0x63, 0x35, 0x1b, 0xcd, 0xa6, 0x14, 0x21, 0xa9, 0x56, 0xfd, 0x0f, 0x0b, 0xad, 0x7d,
0xc5, 0xa2, 0x24, 0x26, 0x90, 0xf6, 0x1b, 0xc7, 0x1f, 0xa2, 0x72, 0x4f, 0x5a, 0x54, 0x0a, 0xb6,
0xe1, 0xa5, 0xb0, 0xd4, 0x27, 0xfb, 0x97, 0x65, 0x0c, 0x15, 0x90, 0xee, 0xdf, 0x5c, 0x86, 0x18,
0x3f, 0xde, 0x93, 0xd7, 0x9d, 0xbe, 0x1c, 0xd1, 0x00, 0xb8, 0x53, 0x52, 0x04, 0x7d, 0x89, 0x05,
0x07, 0x99, 0xc4, 0xd5, 0xff, 0x2c, 0xa1, 0xf5, 0xa9, 0xfe, 0xc5, 0x3b, 0xa8, 0x92, 0x81, 0x74,
0x84, 0x79, 0xd1, 0x32, 0x2d, 0x92, 0x23, 0xb0, 0x87, 0xec, 0x50, 0x4a, 0xc5, 0xb4, 0x03, 0x7a,
0xfd, 0xe6, 0x0b, 0xf2, 0x28, 0x73, 0x10, 0x83, 0x91, 0xeb, 0x46, 0xbe, 0xa8, 0xc5, 0x5b, 0x58,
0x37, 0x12, 0x4b, 0x94, 0x07, 0x37, 0x50, 0x29, 0xf1, 0xbb, 0x7a, 0x7d, 0x3e, 0xd2, 0x80, 0x52,
0x6b, 0xde, 0xd5, 0x29, 0xc9, 0x32, 0x09, 0x1a, 0xfb, 0xaa, 0xa2, 0x7a, 0x73, 0xe6, 0x49, 0x1c,
0x1c, 0x37, 0xd3, 0x4a, 0xe7, 0x08, 0xb9, 0x36, 0x69, 0xec, 0x3f, 0x07, 0xc6, 0xfd, 0x28, 0x9c,
0x5e, 0x9b, 0x07, 0xc7, 0x4d, 0xed, 0x21, 0x05, 0x14, 0x3e, 0x40, 0xeb, 0x59, 0x11, 0x32, 0x62,
0xba, 0x41, 0x1f, 0x68, 0xe2, 0x3a, 0x99, 0x74, 0x93, 0x69, 0x3c, 0xfe, 0x0c, 0xad, 0xf0, 0xa4,
0x9d, 0x17, 0xbb, 0xa2, 0xe8, 0xf7, 0x35, 0x7d, 0xe5, 0xc4, 0xb8, 0x48, 0x11, 0x57, 0xff, 0xc7,
0x42, 0x4b, 0xc7, 0xd1, 0xc0, 0xef, 0x5c, 0xbc, 0x83, 0x4f, 0xeb, 0x77, 0xa8, 0xcc, 0x92, 0x01,
0x64, 0x43, 0xf1, 0x64, 0xee, 0xa1, 0x48, 0x23, 0x24, 0xc9, 0x00, 0x4c, 0x87, 0xcb, 0x37, 0x4e,
0x52, 0xc1, 0xfa, 0x5f, 0x16, 0x42, 0x29, 0xe8, 0x1d, 0xcc, 0xf6, 0xe9, 0xe4, 0x6c, 0x7b, 0xb7,
0x4c, 0xe3, 0x86, 0xe1, 0x7e, 0x51, 0xca, 0x52, 0x90, 0x99, 0x99, 0xdf, 0x10, 0x6b, 0x9e, 0xdf,
0x90, 0x1a, 0x2a, 0xcb, 0x6f, 0x62, 0x36, 0xdd, 0xb6, 0x44, 0xca, 0x4f, 0x17, 0x27, 0xa9, 0x1d,
0xbb, 0x08, 0xc9, 0x07, 0xd5, 0xa2, 0xd9, 0x48, 0xaf, 0xc9, 0x8b, 0x6a, 0xe5, 0x56, 0x52, 0x40,
0x48, 0x41, 0xf9, 0xb9, 0xe6, 0xce, 0xa2, 0x11, 0x94, 0x5f, 0x71, 0x4e, 0x52, 0x3b, 0xee, 0x17,
0x77, 0x4a, 0x59, 0x15, 0x62, 0x6f, 0xee, 0x42, 0x4c, 0x2e, 0x31, 0x33, 0xe4, 0xaf, 0x5d, 0x48,
0x2e, 0x42, 0xf9, 0xc4, 0x73, 0x67, 0xc9, 0x84, 0x9e, 0xaf, 0x04, 0x4e, 0x0a, 0x08, 0xfc, 0x05,
0x5a, 0x0f, 0xa3, 0x30, 0x93, 0x6a, 0x91, 0x43, 0xee, 0x2c, 0x2b, 0xd2, 0x7d, 0x39, 0x48, 0x47,
0x93, 0x2e, 0x32, 0x8d, 0xc5, 0x7b, 0x08, 0x45, 0x81, 0x2f, 0xd4, 0xaf, 0x10, 0x77, 0x2a, 0x8a,
0xf9, 0x40, 0xb5, 0x74, 0x6e, 0x35, 0xbf, 0x4a, 0x05, 0x68, 0xe3, 0xe1, 0xe5, 0x55, 0x75, 0xe1,
0xe5, 0x55, 0x75, 0xe1, 0xd5, 0x55, 0x75, 0xe1, 0xb7, 0x71, 0xd5, 0xba, 0x1c, 0x57, 0xad, 0x97,
0xe3, 0xaa, 0xf5, 0x6a, 0x5c, 0xb5, 0xfe, 0x1d, 0x57, 0xad, 0xdf, 0xff, 0xab, 0x2e, 0x7c, 0xbf,
0xac, 0x6b, 0xf0, 0x7f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x19, 0x44, 0x81, 0xf3, 0xba, 0x0c, 0x00,
0x00,
}

4
staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.proto
View File

@ -212,5 +212,9 @@ message PolicyRule {
// "/healthz*" - Log all health checks
// +optional
repeated string nonResourceURLs = 7;
// OmitStages specify events generated in which stages will not be emitted to backend.
// An empty list means no restrictions will apply.
repeated string omitStages = 8;
}

4
staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go
View File

@ -201,6 +201,10 @@ type PolicyRule struct {
// "/healthz*" - Log all health checks
// +optional
NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,7,rep,name=nonResourceURLs"`
// OmitStages specify events generated in which stages will not be emitted to backend.
// An empty list means no restrictions will apply.
OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"`
}
// GroupResources represents resource kinds in an API group.

2
staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.conversion.go
View File

@ -239,6 +239,7 @@ func autoConvert_v1beta1_PolicyRule_To_audit_PolicyRule(in *PolicyRule, out *aud
out.Resources = *(*[]audit.GroupResources)(unsafe.Pointer(&in.Resources))
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs))
out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages))
return nil
}
@ -255,6 +256,7 @@ func autoConvert_audit_PolicyRule_To_v1beta1_PolicyRule(in *audit.PolicyRule, ou
out.Resources = *(*[]GroupResources)(unsafe.Pointer(&in.Resources))
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs))
out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages))
return nil
}

5
staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.deepcopy.go
View File

@ -327,6 +327,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.OmitStages != nil {
in, out := &in.OmitStages, &out.OmitStages
*out = make([]Stage, len(*in))
copy(*out, *in)
}
return
}

25
staging/src/k8s.io/apiserver/pkg/apis/audit/validation/validation.go
View File

@ -38,6 +38,7 @@ func validatePolicyRule(rule audit.PolicyRule, fldPath *field.Path) field.ErrorL
allErrs = append(allErrs, validateLevel(rule.Level, fldPath.Child("level"))...)
allErrs = append(allErrs, validateNonResourceURLs(rule.NonResourceURLs, fldPath.Child("nonResourceURLs"))...)
allErrs = append(allErrs, validateResources(rule.Resources, fldPath.Child("resources"))...)
allErrs = append(allErrs, validateOmitStages(rule.OmitStages, fldPath.Child("omitStages"))...)
if len(rule.NonResourceURLs) > 0 {
if len(rule.Resources) > 0 || len(rule.Namespaces) > 0 {
@ -55,6 +56,13 @@ var validLevels = []string{
string(audit.LevelRequestResponse),
}
var validOmitStages = []string{
string(audit.StageRequestReceived),
string(audit.StageResponseStarted),
string(audit.StageResponseComplete),
string(audit.StagePanic),
}
func validateLevel(level audit.Level, fldPath *field.Path) field.ErrorList {
switch level {
case audit.LevelNone, audit.LevelMetadata, audit.LevelRequest, audit.LevelRequestResponse:
@ -104,3 +112,20 @@ func validateResources(groupResources []audit.GroupResources, fldPath *field.Pat
}
return allErrs
}
func validateOmitStages(omitStages []audit.Stage, fldPath *field.Path) field.ErrorList {
var allErrs field.ErrorList
for i, stage := range omitStages {
valid := false
for _, validOmitStage := range validOmitStages {
if string(stage) == validOmitStage {
valid = true
break
}
}
if !valid {
allErrs = append(allErrs, field.Invalid(fldPath.Index(i), string(stage), "allowed stages are "+strings.Join(validOmitStages, ",")))
}
}
return allErrs
}

11
staging/src/k8s.io/apiserver/pkg/apis/audit/validation/validation_test.go
View File

@ -43,6 +43,11 @@ func TestValidatePolicy(t *testing.T) {
"/metrics",
"*",
},
}, { // Omit RequestReceived stage
Level: audit.LevelMetadata,
OmitStages: []audit.Stage{
audit.Stage("RequestReceived"),
},
},
}
successCases := []audit.Policy{}
@ -108,6 +113,12 @@ func TestValidatePolicy(t *testing.T) {
Resources: []audit.GroupResources{{ResourceNames: []string{"leader"}}},
Namespaces: []string{"kube-system"},
},
{ // invalid omitStages
Level: audit.LevelMetadata,
OmitStages: []audit.Stage{
audit.Stage("foo"),
},
},
}
errorCases := []audit.Policy{}
for _, rule := range invalidRules {

5
staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go
View File

@ -325,6 +325,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.OmitStages != nil {
in, out := &in.OmitStages, &out.OmitStages
*out = make([]Stage, len(*in))
copy(*out, *in)
}
return
}

17
staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go
View File

@ -31,7 +31,7 @@ const (
// Checker exposes methods for checking the policy rules.
type Checker interface {
// Check the audit level for a request with the given authorizer attributes.
Level(authorizer.Attributes) audit.Level
LevelAndStages(authorizer.Attributes) (audit.Level, []audit.Stage)
}
// NewChecker creates a new policy checker.
@ -40,21 +40,21 @@ func NewChecker(policy *audit.Policy) Checker {
}
// FakeChecker creates a checker that returns a constant level for all requests (for testing).
func FakeChecker(level audit.Level) Checker {
return &fakeChecker{level}
func FakeChecker(level audit.Level, stage []audit.Stage) Checker {
return &fakeChecker{level, stage}
}
type policyChecker struct {
audit.Policy
}
func (p *policyChecker) Level(attrs authorizer.Attributes) audit.Level {
func (p *policyChecker) LevelAndStages(attrs authorizer.Attributes) (audit.Level, []audit.Stage) {
for _, rule := range p.Rules {
if ruleMatches(&rule, attrs) {
return rule.Level
return rule.Level, rule.OmitStages
}
}
return DefaultAuditLevel
return DefaultAuditLevel, nil
}
// Check whether the rule matches the request attrs.
@ -181,8 +181,9 @@ func hasString(slice []string, value string) bool {
type fakeChecker struct {
level audit.Level
stage []audit.Stage
}
func (f *fakeChecker) Level(_ authorizer.Attributes) audit.Level {
return f.level
func (f *fakeChecker) LevelAndStages(_ authorizer.Attributes) (audit.Level, []audit.Stage) {
return f.level, f.stage
}

105
staging/src/k8s.io/apiserver/pkg/audit/policy/checker_test.go
View File

@ -136,59 +136,80 @@ func TestChecker(t *testing.T) {
ResourceNames: []string{"edit"},
}},
},
"omit RequestReceived": {
Level: audit.LevelRequest,
OmitStages: []audit.Stage{
audit.StageRequestReceived,
},
},
"only audit panic": {
Level: audit.LevelRequest,
OmitStages: []audit.Stage{
audit.StageRequestReceived,
audit.StageResponseStarted,
audit.StageResponseComplete,
},
},
}
test := func(req string, expected audit.Level, ruleNames ...string) {
test := func(req string, expLevel audit.Level, expOmitStages []audit.Stage, ruleNames ...string) {
policy := audit.Policy{}
for _, rule := range ruleNames {
require.Contains(t, rules, rule)
policy.Rules = append(policy.Rules, rules[rule])
}
require.Contains(t, attrs, req)
actual := NewChecker(&policy).Level(attrs[req])
assert.Equal(t, expected, actual, "request:%s rules:%s", req, strings.Join(ruleNames, ","))
actualLevel, actualOmitStages := NewChecker(&policy).LevelAndStages(attrs[req])
assert.Equal(t, expLevel, actualLevel, "request:%s rules:%s", req, strings.Join(ruleNames, ","))
assert.Equal(t, expOmitStages, actualOmitStages, "request:%s rules:%s", req, strings.Join(ruleNames, ","))
}
test("namespaced", audit.LevelMetadata, "default")
test("namespaced", audit.LevelNone, "create")
test("namespaced", audit.LevelMetadata, "tims")
test("namespaced", audit.LevelMetadata, "humans")
test("namespaced", audit.LevelNone, "serviceAccounts")
test("namespaced", audit.LevelRequestResponse, "getPods")
test("namespaced", audit.LevelNone, "getClusterRoles")
test("namespaced", audit.LevelNone, "getLogs")
test("namespaced", audit.LevelNone, "getMetrics")
test("namespaced", audit.LevelMetadata, "getMetrics", "serviceAccounts", "default")
test("namespaced", audit.LevelRequestResponse, "getMetrics", "getPods", "default")
test("namespaced", audit.LevelRequestResponse, "getPodLogs", "getPods")
test("namespaced", audit.LevelMetadata, nil, "default")
test("namespaced", audit.LevelNone, nil, "create")
test("namespaced", audit.LevelMetadata, nil, "tims")
test("namespaced", audit.LevelMetadata, nil, "humans")
test("namespaced", audit.LevelNone, nil, "serviceAccounts")
test("namespaced", audit.LevelRequestResponse, nil, "getPods")
test("namespaced", audit.LevelNone, nil, "getClusterRoles")
test("namespaced", audit.LevelNone, nil, "getLogs")
test("namespaced", audit.LevelNone, nil, "getMetrics")
test("namespaced", audit.LevelMetadata, nil, "getMetrics", "serviceAccounts", "default")
test("namespaced", audit.LevelRequestResponse, nil, "getMetrics", "getPods", "default")
test("namespaced", audit.LevelRequestResponse, nil, "getPodLogs", "getPods")
test("namespaced", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived}, "omit RequestReceived", "getPods", "default")
test("namespaced", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived, audit.StageResponseStarted, audit.StageResponseComplete}, "only audit panic", "getPods", "default")
test("cluster", audit.LevelMetadata, "default")
test("cluster", audit.LevelNone, "create")
test("cluster", audit.LevelMetadata, "tims")
test("cluster", audit.LevelMetadata, "humans")
test("cluster", audit.LevelNone, "serviceAccounts")
test("cluster", audit.LevelNone, "getPods")
test("cluster", audit.LevelRequestResponse, "getClusterRoles")
test("cluster", audit.LevelRequest, "clusterRoleEdit", "getClusterRoles")
test("cluster", audit.LevelNone, "getLogs")
test("cluster", audit.LevelNone, "getMetrics")
test("cluster", audit.LevelMetadata, "getMetrics", "serviceAccounts", "default")
test("cluster", audit.LevelRequestResponse, "getMetrics", "getClusterRoles", "default")
test("cluster", audit.LevelNone, "getPodLogs", "getPods")
test("cluster", audit.LevelMetadata, nil, "default")
test("cluster", audit.LevelNone, nil, "create")
test("cluster", audit.LevelMetadata, nil, "tims")
test("cluster", audit.LevelMetadata, nil, "humans")
test("cluster", audit.LevelNone, nil, "serviceAccounts")
test("cluster", audit.LevelNone, nil, "getPods")
test("cluster", audit.LevelRequestResponse, nil, "getClusterRoles")
test("cluster", audit.LevelRequest, nil, "clusterRoleEdit", "getClusterRoles")
test("cluster", audit.LevelNone, nil, "getLogs")
test("cluster", audit.LevelNone, nil, "getMetrics")
test("cluster", audit.LevelMetadata, nil, "getMetrics", "serviceAccounts", "default")
test("cluster", audit.LevelRequestResponse, nil, "getMetrics", "getClusterRoles", "default")
test("cluster", audit.LevelNone, nil, "getPodLogs", "getPods")
test("cluster", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived}, "omit RequestReceived", "getPods", "default")
test("cluster", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived, audit.StageResponseStarted, audit.StageResponseComplete}, "only audit panic", "getPods", "default")
test("nonResource", audit.LevelMetadata, "default")
test("nonResource", audit.LevelNone, "create")
test("nonResource", audit.LevelMetadata, "tims")
test("nonResource", audit.LevelMetadata, "humans")
test("nonResource", audit.LevelNone, "serviceAccounts")
test("nonResource", audit.LevelNone, "getPods")
test("nonResource", audit.LevelNone, "getClusterRoles")
test("nonResource", audit.LevelRequestResponse, "getLogs")
test("nonResource", audit.LevelNone, "getMetrics")
test("nonResource", audit.LevelMetadata, "getMetrics", "serviceAccounts", "default")
test("nonResource", audit.LevelRequestResponse, "getLogs", "getClusterRoles", "default")
test("nonResource", audit.LevelNone, "getPodLogs", "getPods")
test("nonResource", audit.LevelMetadata, nil, "default")
test("nonResource", audit.LevelNone, nil, "create")
test("nonResource", audit.LevelMetadata, nil, "tims")
test("nonResource", audit.LevelMetadata, nil, "humans")
test("nonResource", audit.LevelNone, nil, "serviceAccounts")
test("nonResource", audit.LevelNone, nil, "getPods")
test("nonResource", audit.LevelNone, nil, "getClusterRoles")
test("nonResource", audit.LevelRequestResponse, nil, "getLogs")
test("nonResource", audit.LevelNone, nil, "getMetrics")
test("nonResource", audit.LevelMetadata, nil, "getMetrics", "serviceAccounts", "default")
test("nonResource", audit.LevelRequestResponse, nil, "getLogs", "getClusterRoles", "default")
test("nonResource", audit.LevelNone, nil, "getPodLogs", "getPods")
test("nonResource", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived}, "omit RequestReceived", "getPods", "default")
test("nonResource", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived, audit.StageResponseStarted, audit.StageResponseComplete}, "only audit panic", "getPods", "default")
test("subresource", audit.LevelRequest, "getPodLogs", "getPods")
test("subresource", audit.LevelRequest, "getPods", "getPodLogs")
test("subresource", audit.LevelRequest, nil, "getPodLogs", "getPods")
test("subresource", audit.LevelRequest, nil, "getPods", "getPodLogs")
}

2
staging/src/k8s.io/apiserver/pkg/endpoints/apiserver_test.go
View File

@ -331,7 +331,7 @@ func handleInternal(storage map[string]rest.Storage, admissionControl admission.
}
}
handler := genericapifilters.WithAudit(mux, requestContextMapper, auditSink, auditpolicy.FakeChecker(auditinternal.LevelRequestResponse), func(r *http.Request, requestInfo *request.RequestInfo) bool {
handler := genericapifilters.WithAudit(mux, requestContextMapper, auditSink, auditpolicy.FakeChecker(auditinternal.LevelRequestResponse, nil), func(r *http.Request, requestInfo *request.RequestInfo) bool {
// simplified long-running check
return requestInfo.Verb == "watch" || requestInfo.Verb == "proxy"
})

47
staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go
View File

@ -42,7 +42,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
return handler
}
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
ctx, ev, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy)
ctx, ev, omitStages, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy)
if err != nil {
utilruntime.HandleError(fmt.Errorf("failed to create audit event: %v", err))
responsewriters.InternalError(w, req, errors.New("failed to create audit event"))
@ -54,7 +54,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
}
ev.Stage = auditinternal.StageRequestReceived
processAuditEvent(sink, ev)
processAuditEvent(sink, ev, omitStages)
// intercept the status code
var longRunningSink audit.Sink
@ -64,7 +64,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
longRunningSink = sink
}
}
respWriter := decorateResponseWriter(w, ev, longRunningSink)
respWriter := decorateResponseWriter(w, ev, longRunningSink, omitStages)
// send audit event when we leave this func, either via a panic or cleanly. In the case of long
// running requests, this will be the second audit event.
@ -78,7 +78,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
Reason: metav1.StatusReasonInternalError,
Message: fmt.Sprintf("APIServer panic'd: %v", r),
}
processAuditEvent(sink, ev)
processAuditEvent(sink, ev, omitStages)
return
}
@ -92,14 +92,14 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
if ev.ResponseStatus == nil && longRunningSink != nil {
ev.ResponseStatus = fakedSuccessStatus
ev.Stage = auditinternal.StageResponseStarted
processAuditEvent(longRunningSink, ev)
processAuditEvent(longRunningSink, ev, omitStages)
}
ev.Stage = auditinternal.StageResponseComplete
if ev.ResponseStatus == nil {
ev.ResponseStatus = fakedSuccessStatus
}
processAuditEvent(sink, ev)
processAuditEvent(sink, ev, omitStages)
}()
handler.ServeHTTP(respWriter, req)
})
@ -110,47 +110,53 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
// - context with audit event attached to it
// - created audit event
// - error if anything bad happened
func createAuditEventAndAttachToContext(requestContextMapper request.RequestContextMapper, req *http.Request, policy policy.Checker) (request.Context, *auditinternal.Event, error) {
func createAuditEventAndAttachToContext(requestContextMapper request.RequestContextMapper, req *http.Request, policy policy.Checker) (request.Context, *auditinternal.Event, []auditinternal.Stage, error) {
ctx, ok := requestContextMapper.Get(req)
if !ok {
return nil, nil, fmt.Errorf("no context found for request")
return nil, nil, nil, fmt.Errorf("no context found for request")
}
attribs, err := GetAuthorizerAttributes(ctx)
if err != nil {
return nil, nil, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err)
return nil, nil, nil, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err)
}
level := policy.Level(attribs)
level, omitStages := policy.LevelAndStages(attribs)
audit.ObservePolicyLevel(level)
if level == auditinternal.LevelNone {
// Don't audit.
return nil, nil, nil
return nil, nil, nil, nil
}
ev, err := audit.NewEventFromRequest(req, level, attribs)
if err != nil {
return nil, nil, fmt.Errorf("failed to complete audit event from request: %v", err)
return nil, nil, nil, fmt.Errorf("failed to complete audit event from request: %v", err)
}
ctx = request.WithAuditEvent(ctx, ev)
if err := requestContextMapper.Update(req, ctx); err != nil {
return nil, nil, fmt.Errorf("failed to attach audit event to context: %v", err)
return nil, nil, nil, fmt.Errorf("failed to attach audit event to context: %v", err)
}
return ctx, ev, nil
return ctx, ev, omitStages, nil
}
func processAuditEvent(sink audit.Sink, ev *auditinternal.Event) {
func processAuditEvent(sink audit.Sink, ev *auditinternal.Event, omitStages []auditinternal.Stage) {
for _, stage := range omitStages {
if ev.Stage == stage {
return
}
}
audit.ObserveEvent()
sink.ProcessEvents(ev)
}
func decorateResponseWriter(responseWriter http.ResponseWriter, ev *auditinternal.Event, sink audit.Sink) http.ResponseWriter {
func decorateResponseWriter(responseWriter http.ResponseWriter, ev *auditinternal.Event, sink audit.Sink, omitStages []auditinternal.Stage) http.ResponseWriter {
delegate := &auditResponseWriter{
ResponseWriter: responseWriter,
event: ev,
sink: sink,
omitStages: omitStages,
}
// check if the ResponseWriter we're wrapping is the fancy one we need
@ -170,9 +176,10 @@ var _ http.ResponseWriter = &auditResponseWriter{}
// create immediately an event (for long running requests).
type auditResponseWriter struct {
http.ResponseWriter
event *auditinternal.Event
once sync.Once
sink audit.Sink
event *auditinternal.Event
once sync.Once
sink audit.Sink
omitStages []auditinternal.Stage
}
func (a *auditResponseWriter) setHttpHeader() {
@ -188,7 +195,7 @@ func (a *auditResponseWriter) processCode(code int) {
a.event.Stage = auditinternal.StageResponseStarted
if a.sink != nil {
processAuditEvent(a.sink, a.event)
processAuditEvent(a.sink, a.event, a.omitStages)
}
})
}

122
staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_test.go
View File

@ -98,14 +98,14 @@ func (*fancyResponseWriter) Flush() {}
func (*fancyResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) { return nil, nil, nil }
func TestConstructResponseWriter(t *testing.T) {
actual := decorateResponseWriter(&simpleResponseWriter{}, nil, nil)
actual := decorateResponseWriter(&simpleResponseWriter{}, nil, nil, nil)
switch v := actual.(type) {
case *auditResponseWriter:
default:
t.Errorf("Expected auditResponseWriter, got %v", reflect.TypeOf(v))
}
actual = decorateResponseWriter(&fancyResponseWriter{}, nil, nil)
actual = decorateResponseWriter(&fancyResponseWriter{}, nil, nil, nil)
switch v := actual.(type) {
case *fancyResponseWriterDelegator:
default:
@ -115,7 +115,7 @@ func TestConstructResponseWriter(t *testing.T) {
func TestDecorateResponseWriterWithoutChannel(t *testing.T) {
ev := &auditinternal.Event{}
actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil)
actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil, nil)
// write status. This will not block because firstEventSentCh is nil
actual.WriteHeader(42)
@ -129,7 +129,7 @@ func TestDecorateResponseWriterWithoutChannel(t *testing.T) {
func TestDecorateResponseWriterWithImplicitWrite(t *testing.T) {
ev := &auditinternal.Event{}
actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil)
actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil, nil)
// write status. This will not block because firstEventSentCh is nil
actual.Write([]byte("foo"))
@ -144,7 +144,7 @@ func TestDecorateResponseWriterWithImplicitWrite(t *testing.T) {
func TestDecorateResponseWriterChannel(t *testing.T) {
sink := &fakeAuditSink{}
ev := &auditinternal.Event{}
actual := decorateResponseWriter(&simpleResponseWriter{}, ev, sink)
actual := decorateResponseWriter(&simpleResponseWriter{}, ev, sink, nil)
done := make(chan struct{})
go func() {
@ -203,17 +203,19 @@ func TestAuditLegacy(t *testing.T) {
delay := 500 * time.Millisecond
for _, test := range []struct {
desc string
path string
verb string
handler func(http.ResponseWriter, *http.Request)
expected []string
desc string
path string
verb string
omitStages []auditinternal.Stage
handler func(http.ResponseWriter, *http.Request)
expected []string
}{
// short running requests with read-only verb
{
"read-only empty",
shortRunningPath,
"GET",
nil,
func(http.ResponseWriter, *http.Request) {},
[]string{
readOnlyShortRunningPrefix(auditinternal.StageRequestReceived) + ` response="<deferred>"`,
@ -224,6 +226,7 @@ func TestAuditLegacy(t *testing.T) {
"read-only panic",
shortRunningPath,
"GET",
nil,
func(w http.ResponseWriter, req *http.Request) {
panic("kaboom")
},
@ -238,6 +241,7 @@ func TestAuditLegacy(t *testing.T) {
"writing empty",
shortRunningPath,
"PUT",
nil,
func(http.ResponseWriter, *http.Request) {},
[]string{
writingShortRunningPrefix(auditinternal.StageRequestReceived) + ` response="<deferred>"`,
@ -248,6 +252,7 @@ func TestAuditLegacy(t *testing.T) {
"writing sleep",
shortRunningPath,
"PUT",
nil,
func(http.ResponseWriter, *http.Request) {
time.Sleep(delay)
},
@ -260,6 +265,7 @@ func TestAuditLegacy(t *testing.T) {
"writing 403+write",
shortRunningPath,
"PUT",
nil,
func(w http.ResponseWriter, req *http.Request) {
w.WriteHeader(403)
w.Write([]byte("foo"))
@ -273,6 +279,7 @@ func TestAuditLegacy(t *testing.T) {
"writing panic",
shortRunningPath,
"PUT",
nil,
func(w http.ResponseWriter, req *http.Request) {
panic("kaboom")
},
@ -285,6 +292,7 @@ func TestAuditLegacy(t *testing.T) {
"writing write+panic",
shortRunningPath,
"PUT",
nil,
func(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("foo"))
panic("kaboom")
@ -300,6 +308,7 @@ func TestAuditLegacy(t *testing.T) {
"empty longrunning",
longRunningPath,
"GET",
nil,
func(http.ResponseWriter, *http.Request) {},
[]string{
longRunningPrefix(auditinternal.StageRequestReceived) + ` response="<deferred>"`,
@ -311,6 +320,7 @@ func TestAuditLegacy(t *testing.T) {
"sleep longrunning",
longRunningPath,
"GET",
nil,
func(http.ResponseWriter, *http.Request) {
time.Sleep(delay)
},
@ -324,6 +334,7 @@ func TestAuditLegacy(t *testing.T) {
"sleep+403 longrunning",
longRunningPath,
"GET",
nil,
func(w http.ResponseWriter, req *http.Request) {
time.Sleep(delay)
w.WriteHeader(403)
@ -338,6 +349,7 @@ func TestAuditLegacy(t *testing.T) {
"write longrunning",
longRunningPath,
"GET",
nil,
func(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("foo"))
},
@ -351,6 +363,7 @@ func TestAuditLegacy(t *testing.T) {
"403+write longrunning",
longRunningPath,
"GET",
nil,
func(w http.ResponseWriter, req *http.Request) {
w.WriteHeader(403)
w.Write([]byte("foo"))
@ -365,6 +378,7 @@ func TestAuditLegacy(t *testing.T) {
"panic longrunning",
longRunningPath,
"GET",
nil,
func(w http.ResponseWriter, req *http.Request) {
panic("kaboom")
},
@ -377,6 +391,7 @@ func TestAuditLegacy(t *testing.T) {
"write+panic longrunning",
longRunningPath,
"GET",
nil,
func(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("foo"))
panic("kaboom")
@ -387,10 +402,33 @@ func TestAuditLegacy(t *testing.T) {
longRunningPrefix(auditinternal.StagePanic) + ` response="500"`,
},
},
{
"omit RequestReceived",
shortRunningPath,
"GET",
[]auditinternal.Stage{auditinternal.StageRequestReceived},
func(http.ResponseWriter, *http.Request) {},
[]string{
readOnlyShortRunningPrefix(auditinternal.StageResponseComplete) + ` response="200"`,
},
},
{
"emit painc only",
longRunningPath,
"GET",
[]auditinternal.Stage{auditinternal.StageRequestReceived, auditinternal.StageResponseStarted, auditinternal.StageResponseComplete},
func(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("foo"))
panic("kaboom")
},
[]string{
longRunningPrefix(auditinternal.StagePanic) + ` response="500"`,
},
},
} {
var buf bytes.Buffer
backend := pluginlog.NewBackend(&buf, pluginlog.FormatLegacy, auditv1beta1.SchemeGroupVersion)
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, test.omitStages)
handler := WithAudit(http.HandlerFunc(test.handler), &fakeRequestContextMapper{
user: &user.DefaultInfo{Name: "admin"},
}, backend, policyChecker, func(r *http.Request, ri *request.RequestInfo) bool {
@ -440,6 +478,7 @@ func TestAuditJson(t *testing.T) {
path string
verb string
auditID string
omitStages []auditinternal.Stage
handler func(http.ResponseWriter, *http.Request)
expected []auditv1beta1.Event
respHeader bool
@ -450,6 +489,7 @@ func TestAuditJson(t *testing.T) {
shortRunningPath,
"GET",
"",
nil,
func(http.ResponseWriter, *http.Request) {},
[]auditv1beta1.Event{
{
@ -471,6 +511,7 @@ func TestAuditJson(t *testing.T) {
shortRunningPath,
"GET",
uuid.NewRandom().String(),
nil,
func(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("foo"))
},
@ -494,6 +535,7 @@ func TestAuditJson(t *testing.T) {
shortRunningPath,
"GET",
"",
nil,
func(w http.ResponseWriter, req *http.Request) {
panic("kaboom")
},
@ -518,6 +560,7 @@ func TestAuditJson(t *testing.T) {
shortRunningPath,
"PUT",
"",
nil,
func(http.ResponseWriter, *http.Request) {},
[]auditv1beta1.Event{
{
@ -539,6 +582,7 @@ func TestAuditJson(t *testing.T) {
shortRunningPath,
"PUT",
"",
nil,
func(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("foo"))
time.Sleep(delay)
@ -563,6 +607,7 @@ func TestAuditJson(t *testing.T) {
shortRunningPath,
"PUT",
"",
nil,
func(w http.ResponseWriter, req *http.Request) {
w.WriteHeader(403)
w.Write([]byte("foo"))
@ -587,6 +632,7 @@ func TestAuditJson(t *testing.T) {
shortRunningPath,
"PUT",
"",
nil,
func(w http.ResponseWriter, req *http.Request) {
panic("kaboom")
},
@ -610,6 +656,7 @@ func TestAuditJson(t *testing.T) {
shortRunningPath,
"PUT",
"",
nil,
func(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("foo"))
panic("kaboom")
@ -635,6 +682,7 @@ func TestAuditJson(t *testing.T) {
longRunningPath,
"GET",
"",
nil,
func(http.ResponseWriter, *http.Request) {},
[]auditv1beta1.Event{
{
@ -662,6 +710,7 @@ func TestAuditJson(t *testing.T) {
longRunningPath,
"GET",
uuid.NewRandom().String(),
nil,
func(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("foo"))
},
@ -691,6 +740,7 @@ func TestAuditJson(t *testing.T) {
longRunningPath,
"GET",
"",
nil,
func(http.ResponseWriter, *http.Request) {
time.Sleep(delay)
},
@ -720,6 +770,7 @@ func TestAuditJson(t *testing.T) {
longRunningPath,
"GET",
"",
nil,
func(w http.ResponseWriter, req *http.Request) {
time.Sleep(delay)
w.WriteHeader(403)
@ -750,6 +801,7 @@ func TestAuditJson(t *testing.T) {
longRunningPath,
"GET",
"",
nil,
func(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("foo"))
},
@ -779,6 +831,7 @@ func TestAuditJson(t *testing.T) {
longRunningPath,
"GET",
"",
nil,
func(w http.ResponseWriter, req *http.Request) {
w.WriteHeader(403)
w.Write([]byte("foo"))
@ -809,6 +862,7 @@ func TestAuditJson(t *testing.T) {
longRunningPath,
"GET",
"",
nil,
func(w http.ResponseWriter, req *http.Request) {
panic("kaboom")
},
@ -832,6 +886,7 @@ func TestAuditJson(t *testing.T) {
longRunningPath,
"GET",
"",
nil,
func(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("foo"))
panic("kaboom")
@ -857,10 +912,49 @@ func TestAuditJson(t *testing.T) {
},
true,
},
{
"omit RequestReceived",
shortRunningPath,
"GET",
"",
[]auditinternal.Stage{auditinternal.StageRequestReceived},
func(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("foo"))
},
[]auditv1beta1.Event{
{
Stage: auditinternal.StageResponseComplete,
Verb: "get",
RequestURI: shortRunningPath,
ResponseStatus: &metav1.Status{Code: 200},
},
},
true,
},
{
"emit Panic only",
longRunningPath,
"GET",
"",
[]auditinternal.Stage{auditinternal.StageRequestReceived, auditinternal.StageResponseStarted, auditinternal.StageResponseComplete},
func(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("foo"))
panic("kaboom")
},
[]auditv1beta1.Event{
{
Stage: auditinternal.StagePanic,
Verb: "watch",
RequestURI: longRunningPath,
ResponseStatus: &metav1.Status{Code: 500},
},
},
true,
},
} {
var buf bytes.Buffer
backend := pluginlog.NewBackend(&buf, pluginlog.FormatJson, auditv1beta1.SchemeGroupVersion)
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, test.omitStages)
handler := WithAudit(http.HandlerFunc(test.handler), &fakeRequestContextMapper{
user: &user.DefaultInfo{Name: "admin"},
}, backend, policyChecker, func(r *http.Request, ri *request.RequestInfo) bool {
@ -964,7 +1058,7 @@ func (*fakeRequestContextMapper) Update(req *http.Request, context request.Conte
}
func TestAuditNoPanicOnNilUser(t *testing.T) {
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil)
handler := WithAudit(&fakeHTTPHandler{}, &fakeRequestContextMapper{}, &fakeAuditSink{}, policyChecker, nil)
req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil)
req.RemoteAddr = "127.0.0.1"
@ -977,7 +1071,7 @@ func TestAuditLevelNone(t *testing.T) {
handler = http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(200)
})
policyChecker := policy.FakeChecker(auditinternal.LevelNone)
policyChecker := policy.FakeChecker(auditinternal.LevelNone, nil)
handler = WithAudit(handler, &fakeRequestContextMapper{
user: &user.DefaultInfo{Name: "admin"},
}, sink, policyChecker, nil)

4
staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit.go
View File

@ -38,7 +38,7 @@ func WithFailedAuthenticationAudit(failedHandler http.Handler, requestContextMap
return failedHandler
}
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
_, ev, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy)
_, ev, omitStages, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy)
if err != nil {
utilruntime.HandleError(fmt.Errorf("failed to create audit event: %v", err))
responsewriters.InternalError(w, req, errors.New("failed to create audit event"))
@ -53,7 +53,7 @@ func WithFailedAuthenticationAudit(failedHandler http.Handler, requestContextMap
ev.ResponseStatus.Message = getAuthMethods(req)
ev.Stage = auditinternal.StageResponseStarted
rw := decorateResponseWriter(w, ev, sink)
rw := decorateResponseWriter(w, ev, sink, omitStages)
failedHandler.ServeHTTP(rw, req)
})
}

23
staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit_test.go
View File

@ -30,7 +30,7 @@ import (
func TestFailedAuthnAudit(t *testing.T) {
sink := &fakeAuditSink{}
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil)
handler := WithFailedAuthenticationAudit(
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusUnauthorized)
@ -61,7 +61,7 @@ func TestFailedAuthnAudit(t *testing.T) {
func TestFailedMultipleAuthnAudit(t *testing.T) {
sink := &fakeAuditSink{}
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil)
handler := WithFailedAuthenticationAudit(
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusUnauthorized)
@ -93,7 +93,7 @@ func TestFailedMultipleAuthnAudit(t *testing.T) {
func TestFailedAuthnAuditWithoutAuthorization(t *testing.T) {
sink := &fakeAuditSink{}
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse)
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil)
handler := WithFailedAuthenticationAudit(
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusUnauthorized)
@ -120,3 +120,20 @@ func TestFailedAuthnAuditWithoutAuthorization(t *testing.T) {
t.Errorf("Unexpected user, expected /api/v1/namespaces/default/pods, got %s", ev.RequestURI)
}
}
func TestFailedAuthnAuditOmitted(t *testing.T) {
sink := &fakeAuditSink{}
policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, []auditinternal.Stage{auditinternal.StageResponseStarted})
handler := WithFailedAuthenticationAudit(
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusUnauthorized)
}),
&fakeRequestContextMapper{}, sink, policyChecker)
req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil)
req.RemoteAddr = "127.0.0.1"
handler.ServeHTTP(httptest.NewRecorder(), req)
if len(sink.events) != 0 {
t.Fatalf("Unexpected number of audit events generated, expected 0, got: %d", len(sink.events))
}
}