diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go index f9d37e54caa..7b5f6d81679 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go @@ -207,6 +207,10 @@ type PolicyRule struct { // "/healthz*" - Log all health checks // +optional NonResourceURLs []string + + // OmitStages specify events generated in which stages will not be emitted to backend. + // An empty list means no restrictions will apply. + OmitStages []Stage } // GroupResources represents resource kinds in an API group. diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go index 8017f66ea79..9247ef6a2dd 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go @@ -543,6 +543,21 @@ func (m *PolicyRule) MarshalTo(dAtA []byte) (int, error) { i += copy(dAtA[i:], s) } } + if len(m.OmitStages) > 0 { + for _, s := range m.OmitStages { + dAtA[i] = 0x42 + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } return i, nil } @@ -744,6 +759,12 @@ func (m *PolicyRule) Size() (n int) { n += 1 + l + sovGenerated(uint64(l)) } } + if len(m.OmitStages) > 0 { + for _, s := range m.OmitStages { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } return n } @@ -856,6 +877,7 @@ func (this *PolicyRule) String() string { `Resources:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Resources), "GroupResources", "GroupResources", 1), `&`, ``, 1) + `,`, `Namespaces:` + fmt.Sprintf("%v", this.Namespaces) + `,`, `NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`, + `OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`, `}`, }, "") return s @@ -2304,6 +2326,35 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error { } m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex])) iNdEx = postIndex + case 8: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field OmitStages", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex])) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) @@ -2435,75 +2486,76 @@ func init() { } var fileDescriptorGenerated = []byte{ - // 1107 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0xcf, 0x6f, 0xe3, 0x44, - 0x14, 0xae, 0x37, 0x4d, 0x1b, 0x4f, 0xb7, 0x3f, 0x76, 0x16, 0x81, 0xd5, 0x43, 0x52, 0x82, 0x84, - 0x22, 0x28, 0x76, 0x5b, 0x0a, 0x2c, 0x07, 0x0e, 0x8d, 0x16, 0x41, 0xa4, 0x52, 0xca, 0xb4, 0x59, - 0x89, 0x1f, 0x07, 0x9c, 0xe4, 0x35, 0x31, 0x4d, 0x6c, 0x33, 0x33, 0x0e, 0xea, 0x8d, 0x03, 0xe2, - 0xcc, 0x9d, 0x3f, 0x06, 0x21, 0x81, 0xd4, 0xe3, 0x1e, 0xf7, 0x14, 0xd1, 0xf0, 0x5f, 0xf4, 0x84, - 0x66, 0x3c, 0xe3, 0xb1, 0xd3, 0x8d, 0x48, 0x2f, 0x7b, 0xf3, 0xbc, 0xf7, 0x7d, 0xdf, 0xbc, 0xf7, - 0xfc, 0xde, 0xb3, 0xd1, 0x57, 0x97, 0x4f, 0x98, 0x1b, 0x44, 0xde, 0x65, 0xd2, 0x01, 0x1a, 0x02, - 0x07, 0xe6, 0x8d, 0x21, 0xec, 0x45, 0xd4, 0x53, 0x0e, 0x3f, 0x0e, 0x18, 0xd0, 0x31, 0x50, 0x2f, - 0xbe, 0xec, 0xcb, 0x93, 0xe7, 0x27, 0xbd, 0x80, 0x7b, 0xe3, 0x7d, 0x7f, 0x18, 0x0f, 0xfc, 0x7d, - 0xaf, 0x0f, 0x21, 0x50, 0x9f, 0x43, 0xcf, 0x8d, 0x69, 0xc4, 0x23, 0xdc, 0x48, 0x99, 0x6e, 0xc6, - 0x74, 0xe3, 0xcb, 0xbe, 0x3c, 0xb9, 0x92, 0xe9, 0x6a, 0xe6, 0xf6, 0x7b, 0xfd, 0x80, 0x0f, 0x92, - 0x8e, 0xdb, 0x8d, 0x46, 0x5e, 0x3f, 0xea, 0x47, 0x9e, 0x14, 0xe8, 0x24, 0x17, 0xf2, 0x24, 0x0f, - 0xf2, 0x29, 0x15, 0xde, 0xde, 0x35, 0x21, 0x79, 0x7e, 0xc2, 0x07, 0x10, 0xf2, 0xa0, 0xeb, 0xf3, - 0x20, 0x0a, 0xbd, 0xf1, 0x9d, 0x30, 0xb6, 0x0f, 0x0d, 0x7a, 0xe4, 0x77, 0x07, 0x41, 0x08, 0xf4, - 0xca, 0xe4, 0x30, 0x02, 0xee, 0xbf, 0x8c, 0xe5, 0xcd, 0x63, 0xd1, 0x24, 0xe4, 0xc1, 0x08, 0xee, - 0x10, 0x3e, 0xfc, 0x3f, 0x02, 0xeb, 0x0e, 0x60, 0xe4, 0xdf, 0xe1, 0xbd, 0x3f, 0x8f, 0x97, 0xf0, - 0x60, 0xe8, 0x05, 0x21, 0x67, 0x9c, 0xce, 0x92, 0xea, 0x7f, 0x55, 0x50, 0xf9, 0xd3, 0x31, 0x84, - 0x1c, 0x7f, 0x8f, 0x2a, 0x22, 0x85, 0x9e, 0xcf, 0x7d, 0xc7, 0xda, 0xb1, 0x1a, 0x6b, 0x07, 0x7b, - 0xae, 0xa9, 0x7b, 0xa6, 0x68, 0x4a, 0x2f, 0xd0, 0xee, 0x78, 0xdf, 0xfd, 0xb2, 0xf3, 0x03, 0x74, - 0xf9, 0x17, 0xc0, 0xfd, 0x26, 0xbe, 0x9e, 0xd4, 0x96, 0xa6, 0x93, 0x1a, 0x32, 0x36, 0x92, 0xa9, - 0xe2, 0x5d, 0x54, 0x1e, 0xc2, 0x18, 0x86, 0xce, 0x83, 0x1d, 0xab, 0x61, 0x37, 0x5f, 0x57, 0xe0, - 0xf2, 0xb1, 0x30, 0xde, 0xea, 0x07, 0x92, 0x82, 0xf0, 0xb7, 0xc8, 0x16, 0xd9, 0x32, 0xee, 0x8f, - 0x62, 0xa7, 0x24, 0x03, 0x7a, 0x67, 0xb1, 0x80, 0xce, 0x83, 0x11, 0x34, 0x1f, 0x29, 0x75, 0xfb, - 0x5c, 0x8b, 0x10, 0xa3, 0x87, 0x4f, 0xd0, 0xaa, 0xec, 0x9c, 0xd6, 0x53, 0x67, 0x59, 0x06, 0x73, - 0xa8, 0xe0, 0xab, 0x47, 0xa9, 0xf9, 0x76, 0x52, 0x7b, 0x73, 0x5e, 0x3d, 0xf9, 0x55, 0x0c, 0xcc, - 0x6d, 0xb7, 0x9e, 0x12, 0x2d, 0x22, 0x52, 0x63, 0xdc, 0xef, 0x83, 0x53, 0x2e, 0xa6, 0x76, 0x26, - 0x8c, 0xb7, 0xfa, 0x81, 0xa4, 0x20, 0x7c, 0x80, 0x10, 0x85, 0x1f, 0x13, 0x60, 0xbc, 0x4d, 0x5a, - 0xce, 0x8a, 0xa4, 0x64, 0xa5, 0x23, 0x99, 0x87, 0xe4, 0x50, 0x78, 0x07, 0x2d, 0x8f, 0x81, 0x76, - 0x9c, 0x55, 0x89, 0x7e, 0xa8, 0xd0, 0xcb, 0xcf, 0x80, 0x76, 0x88, 0xf4, 0xe0, 0xcf, 0xd1, 0x72, - 0xc2, 0x80, 0x3a, 0x15, 0x59, 0xab, 0xb7, 0x73, 0xb5, 0x72, 0x8b, 0xbd, 0x2d, 0x6a, 0xd4, 0x66, - 0x40, 0x5b, 0xe1, 0x45, 0x64, 0x94, 0x84, 0x85, 0x48, 0x05, 0x3c, 0x40, 0x5b, 0xc1, 0x28, 0x06, - 0xca, 0xa2, 0x50, 0xb4, 0x8a, 0xf0, 0x38, 0xf6, 0xbd, 0x54, 0x5f, 0x9b, 0x4e, 0x6a, 0x5b, 0xad, - 0x19, 0x0d, 0x72, 0x47, 0x15, 0xbf, 0x8b, 0x6c, 0x16, 0x25, 0xb4, 0x0b, 0xad, 0x53, 0xe6, 0xa0, - 0x9d, 0x52, 0xc3, 0x6e, 0xae, 0x8b, 0x97, 0x76, 0xa6, 0x8d, 0xc4, 0xf8, 0xf1, 0x05, 0xb2, 0x23, - 0xd9, 0x57, 0x04, 0x2e, 0x9c, 0x35, 0x19, 0xcf, 0xc7, 0xee, 0xa2, 0xab, 0x41, 0xb5, 0x29, 0x81, - 0x0b, 0xa0, 0x10, 0x76, 0x21, 0xbd, 0x27, 0x33, 0x12, 0x23, 0x8d, 0x07, 0x68, 0x83, 0x02, 0x8b, - 0xa3, 0x90, 0xc1, 0x19, 0xf7, 0x79, 0xc2, 0x9c, 0x87, 0xf2, 0xb2, 0xdd, 0xc5, 0xda, 0x2f, 0xe5, - 0x34, 0xf1, 0x74, 0x52, 0xdb, 0x20, 0x05, 0x1d, 0x32, 0xa3, 0x8b, 0x7d, 0xb4, 0xae, 0x5e, 0x71, - 0x1a, 0x88, 0xb3, 0x2e, 0x2f, 0x6a, 0xcc, 0xbd, 0x48, 0xad, 0x00, 0xb7, 0x1d, 0x5e, 0x86, 0xd1, - 0x4f, 0x61, 0xf3, 0xd1, 0x74, 0x52, 0x5b, 0x27, 0x79, 0x09, 0x52, 0x54, 0xc4, 0x3d, 0x93, 0x8c, - 0xba, 0x63, 0xe3, 0x9e, 0x77, 0x14, 0x12, 0x51, 0x97, 0xcc, 0x68, 0xd6, 0xff, 0xb0, 0x90, 0x2d, - 0xd7, 0xc8, 0x71, 0xc0, 0x38, 0xfe, 0xee, 0xce, 0x2a, 0x71, 0x17, 0x2b, 0x9d, 0x60, 0xcb, 0x45, - 0xb2, 0xa5, 0xba, 0xb2, 0xa2, 0x2d, 0xb9, 0x35, 0x72, 0x8e, 0xca, 0x01, 0x87, 0x11, 0x73, 0x1e, - 0xec, 0x94, 0x1a, 0x6b, 0x07, 0xde, 0xe2, 0x2d, 0x20, 0x23, 0x6c, 0xae, 0xeb, 0xe1, 0x6c, 0x09, - 0x15, 0x92, 0x8a, 0xd5, 0x7f, 0xb7, 0xd0, 0xc6, 0x67, 0x34, 0x4a, 0x62, 0x02, 0x69, 0xc7, 0x31, - 0xfc, 0x16, 0x2a, 0xf7, 0x85, 0x45, 0xe6, 0x60, 0x1b, 0x5e, 0x0a, 0x4b, 0x7d, 0xa2, 0x83, 0xa9, - 0x66, 0xc8, 0x88, 0x54, 0x07, 0x67, 0x32, 0xc4, 0xf8, 0xf1, 0x47, 0xe2, 0x7d, 0xa7, 0x87, 0x13, - 0x7f, 0x04, 0xcc, 0x29, 0x49, 0x82, 0x7a, 0x8b, 0x39, 0x07, 0x29, 0xe2, 0xea, 0xbf, 0x94, 0xd0, - 0xe6, 0x4c, 0x03, 0xe3, 0x5d, 0x54, 0xd1, 0x20, 0x15, 0x61, 0x56, 0x35, 0xad, 0x45, 0x32, 0x04, - 0xf6, 0x90, 0x1d, 0x0a, 0xa9, 0xd8, 0xef, 0x82, 0x5a, 0xc0, 0xd9, 0x8a, 0x3c, 0xd1, 0x0e, 0x62, - 0x30, 0x62, 0xe1, 0x88, 0x83, 0x5c, 0xbd, 0xb9, 0x85, 0x23, 0xb0, 0x44, 0x7a, 0x70, 0x13, 0x95, - 0x92, 0xa0, 0xa7, 0x16, 0xe8, 0x9e, 0x02, 0x94, 0xda, 0x8b, 0x2e, 0x4f, 0x41, 0x16, 0xab, 0xd0, - 0x8f, 0x83, 0x67, 0x40, 0x59, 0x10, 0x85, 0x6a, 0x7b, 0x66, 0xab, 0xf0, 0xe8, 0xb4, 0xa5, 0x3c, - 0x24, 0x87, 0xc2, 0x47, 0x68, 0x53, 0xa7, 0xa5, 0x89, 0xe9, 0x0e, 0x7d, 0x43, 0x11, 0x37, 0x49, - 0xd1, 0x4d, 0x66, 0xf1, 0xf8, 0x03, 0xb4, 0xc6, 0x92, 0x4e, 0x56, 0xbe, 0x74, 0xa9, 0x3e, 0x56, - 0xf4, 0xb5, 0x33, 0xe3, 0x22, 0x79, 0x5c, 0xfd, 0x6f, 0x0b, 0xad, 0x9c, 0x46, 0xc3, 0xa0, 0x7b, - 0xf5, 0x0a, 0x3e, 0x97, 0x5f, 0xa3, 0x32, 0x4d, 0x86, 0xa0, 0xfb, 0xfc, 0x70, 0xf1, 0x3e, 0x4f, - 0x43, 0x24, 0xc9, 0x10, 0x4c, 0xd3, 0x8a, 0x13, 0x23, 0xa9, 0x62, 0xfd, 0x4f, 0x0b, 0xa1, 0x14, - 0xf4, 0x0a, 0xe6, 0xb5, 0x5d, 0x9c, 0xd7, 0xbd, 0xfb, 0xe6, 0x31, 0x67, 0x60, 0x7f, 0x2d, 0xe9, - 0x1c, 0x44, 0x6a, 0xe6, 0xe7, 0xc2, 0x5a, 0xe4, 0xe7, 0xa2, 0x86, 0xca, 0xe2, 0x4b, 0xa7, 0x27, - 0xd6, 0x16, 0x48, 0xf1, 0x41, 0x62, 0x24, 0xb5, 0x63, 0x17, 0x21, 0xf1, 0x20, 0x47, 0x5d, 0x8f, - 0xe9, 0x86, 0x78, 0x55, 0xed, 0xcc, 0x4a, 0x72, 0x08, 0x21, 0x28, 0x3e, 0xc2, 0xcc, 0x59, 0x36, - 0x82, 0xe2, 0xdb, 0xcc, 0x48, 0x6a, 0xc7, 0x41, 0x7e, 0x4f, 0x94, 0x65, 0x25, 0x9e, 0x2c, 0x5e, - 0x89, 0xe2, 0x66, 0x32, 0x93, 0xfb, 0xd2, 0x2d, 0xe3, 0x22, 0x94, 0x8d, 0x31, 0x73, 0x56, 0x4c, - 0xec, 0xd9, 0x9c, 0x33, 0x92, 0x43, 0xe0, 0x4f, 0xd0, 0x66, 0x18, 0x85, 0x5a, 0xaa, 0x4d, 0x8e, - 0x99, 0xb3, 0x2a, 0x49, 0x8f, 0xc5, 0x2c, 0x9d, 0x14, 0x5d, 0x64, 0x16, 0xdb, 0x74, 0xaf, 0x6f, - 0xaa, 0x4b, 0xcf, 0x6f, 0xaa, 0x4b, 0x2f, 0x6e, 0xaa, 0x4b, 0x3f, 0x4f, 0xab, 0xd6, 0xf5, 0xb4, - 0x6a, 0x3d, 0x9f, 0x56, 0xad, 0x17, 0xd3, 0xaa, 0xf5, 0xcf, 0xb4, 0x6a, 0xfd, 0xf6, 0x6f, 0x75, - 0xe9, 0x9b, 0x8a, 0xce, 0xe5, 0xbf, 0x00, 0x00, 0x00, 0xff, 0xff, 0x6c, 0x88, 0x4f, 0x33, 0x21, - 0x0c, 0x00, 0x00, + // 1129 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0xcd, 0x6e, 0x23, 0x45, + 0x10, 0xce, 0xac, 0xe3, 0x8d, 0xa7, 0xb3, 0xf9, 0xd9, 0x5e, 0xc4, 0x8e, 0x72, 0xb0, 0x83, 0x91, + 0x90, 0x05, 0x61, 0x26, 0x09, 0x81, 0x5d, 0x0e, 0x1c, 0x62, 0x2d, 0x02, 0x4b, 0x21, 0x84, 0x4e, + 0xbc, 0x12, 0x3f, 0x07, 0xc6, 0x76, 0xc5, 0x1e, 0xe2, 0xf9, 0xa1, 0xbb, 0xc7, 0x28, 0x37, 0x0e, + 0x3c, 0x00, 0x77, 0x1e, 0x66, 0x85, 0x04, 0x52, 0x8e, 0x7b, 0xdc, 0x93, 0x45, 0xcc, 0x5b, 0xe4, + 0x84, 0xba, 0xa7, 0x7b, 0x7a, 0xec, 0xac, 0x85, 0x73, 0xd9, 0xdb, 0x74, 0xd5, 0xf7, 0x7d, 0x5d, + 0x55, 0x53, 0x55, 0x33, 0xe8, 0x9b, 0x8b, 0xa7, 0xcc, 0x0d, 0x62, 0xef, 0x22, 0xed, 0x00, 0x8d, + 0x80, 0x03, 0xf3, 0x46, 0x10, 0xf5, 0x62, 0xea, 0x29, 0x87, 0x9f, 0x04, 0x0c, 0xe8, 0x08, 0xa8, + 0x97, 0x5c, 0xf4, 0xe5, 0xc9, 0xf3, 0xd3, 0x5e, 0xc0, 0xbd, 0xd1, 0x9e, 0x3f, 0x4c, 0x06, 0xfe, + 0x9e, 0xd7, 0x87, 0x08, 0xa8, 0xcf, 0xa1, 0xe7, 0x26, 0x34, 0xe6, 0x31, 0x6e, 0x64, 0x4c, 0x37, + 0x67, 0xba, 0xc9, 0x45, 0x5f, 0x9e, 0x5c, 0xc9, 0x74, 0x35, 0x73, 0xeb, 0xc3, 0x7e, 0xc0, 0x07, + 0x69, 0xc7, 0xed, 0xc6, 0xa1, 0xd7, 0x8f, 0xfb, 0xb1, 0x27, 0x05, 0x3a, 0xe9, 0xb9, 0x3c, 0xc9, + 0x83, 0x7c, 0xca, 0x84, 0xb7, 0x76, 0x4c, 0x48, 0x9e, 0x9f, 0xf2, 0x01, 0x44, 0x3c, 0xe8, 0xfa, + 0x3c, 0x88, 0x23, 0x6f, 0x74, 0x2b, 0x8c, 0xad, 0x03, 0x83, 0x0e, 0xfd, 0xee, 0x20, 0x88, 0x80, + 0x5e, 0x9a, 0x1c, 0x42, 0xe0, 0xfe, 0xeb, 0x58, 0xde, 0x3c, 0x16, 0x4d, 0x23, 0x1e, 0x84, 0x70, + 0x8b, 0xf0, 0xc9, 0xff, 0x11, 0x58, 0x77, 0x00, 0xa1, 0x7f, 0x8b, 0xf7, 0xd1, 0x3c, 0x5e, 0xca, + 0x83, 0xa1, 0x17, 0x44, 0x9c, 0x71, 0x3a, 0x4b, 0xaa, 0xff, 0x55, 0x41, 0xe5, 0xcf, 0x47, 0x10, + 0x71, 0xfc, 0x23, 0xaa, 0x88, 0x14, 0x7a, 0x3e, 0xf7, 0x1d, 0x6b, 0xdb, 0x6a, 0xac, 0xee, 0xef, + 0xba, 0xa6, 0xee, 0xb9, 0xa2, 0x29, 0xbd, 0x40, 0xbb, 0xa3, 0x3d, 0xf7, 0xeb, 0xce, 0x4f, 0xd0, + 0xe5, 0x5f, 0x01, 0xf7, 0x9b, 0xf8, 0x6a, 0x5c, 0x5b, 0x9a, 0x8c, 0x6b, 0xc8, 0xd8, 0x48, 0xae, + 0x8a, 0x77, 0x50, 0x79, 0x08, 0x23, 0x18, 0x3a, 0xf7, 0xb6, 0xad, 0x86, 0xdd, 0x7c, 0x5b, 0x81, + 0xcb, 0x47, 0xc2, 0x78, 0xa3, 0x1f, 0x48, 0x06, 0xc2, 0xdf, 0x23, 0x5b, 0x64, 0xcb, 0xb8, 0x1f, + 0x26, 0x4e, 0x49, 0x06, 0xf4, 0xfe, 0x62, 0x01, 0x9d, 0x05, 0x21, 0x34, 0x1f, 0x2a, 0x75, 0xfb, + 0x4c, 0x8b, 0x10, 0xa3, 0x87, 0x8f, 0xd1, 0x8a, 0xec, 0x9c, 0xd6, 0x33, 0x67, 0x59, 0x06, 0x73, + 0xa0, 0xe0, 0x2b, 0x87, 0x99, 0xf9, 0x66, 0x5c, 0x7b, 0x67, 0x5e, 0x3d, 0xf9, 0x65, 0x02, 0xcc, + 0x6d, 0xb7, 0x9e, 0x11, 0x2d, 0x22, 0x52, 0x63, 0xdc, 0xef, 0x83, 0x53, 0x9e, 0x4e, 0xed, 0x54, + 0x18, 0x6f, 0xf4, 0x03, 0xc9, 0x40, 0x78, 0x1f, 0x21, 0x0a, 0x3f, 0xa7, 0xc0, 0x78, 0x9b, 0xb4, + 0x9c, 0xfb, 0x92, 0x92, 0x97, 0x8e, 0xe4, 0x1e, 0x52, 0x40, 0xe1, 0x6d, 0xb4, 0x3c, 0x02, 0xda, + 0x71, 0x56, 0x24, 0xfa, 0x81, 0x42, 0x2f, 0x3f, 0x07, 0xda, 0x21, 0xd2, 0x83, 0xbf, 0x44, 0xcb, + 0x29, 0x03, 0xea, 0x54, 0x64, 0xad, 0xde, 0x2b, 0xd4, 0xca, 0x9d, 0xee, 0x6d, 0x51, 0xa3, 0x36, + 0x03, 0xda, 0x8a, 0xce, 0x63, 0xa3, 0x24, 0x2c, 0x44, 0x2a, 0xe0, 0x01, 0xda, 0x0c, 0xc2, 0x04, + 0x28, 0x8b, 0x23, 0xd1, 0x2a, 0xc2, 0xe3, 0xd8, 0x77, 0x52, 0x7d, 0x6b, 0x32, 0xae, 0x6d, 0xb6, + 0x66, 0x34, 0xc8, 0x2d, 0x55, 0xfc, 0x01, 0xb2, 0x59, 0x9c, 0xd2, 0x2e, 0xb4, 0x4e, 0x98, 0x83, + 0xb6, 0x4b, 0x0d, 0xbb, 0xb9, 0x26, 0x5e, 0xda, 0xa9, 0x36, 0x12, 0xe3, 0xc7, 0xe7, 0xc8, 0x8e, + 0x65, 0x5f, 0x11, 0x38, 0x77, 0x56, 0x65, 0x3c, 0x9f, 0xba, 0x8b, 0xae, 0x06, 0xd5, 0xa6, 0x04, + 0xce, 0x81, 0x42, 0xd4, 0x85, 0xec, 0x9e, 0xdc, 0x48, 0x8c, 0x34, 0x1e, 0xa0, 0x75, 0x0a, 0x2c, + 0x89, 0x23, 0x06, 0xa7, 0xdc, 0xe7, 0x29, 0x73, 0x1e, 0xc8, 0xcb, 0x76, 0x16, 0x6b, 0xbf, 0x8c, + 0xd3, 0xc4, 0x93, 0x71, 0x6d, 0x9d, 0x4c, 0xe9, 0x90, 0x19, 0x5d, 0xec, 0xa3, 0x35, 0xf5, 0x8a, + 0xb3, 0x40, 0x9c, 0x35, 0x79, 0x51, 0x63, 0xee, 0x45, 0x6a, 0x05, 0xb8, 0xed, 0xe8, 0x22, 0x8a, + 0x7f, 0x89, 0x9a, 0x0f, 0x27, 0xe3, 0xda, 0x1a, 0x29, 0x4a, 0x90, 0x69, 0x45, 0xdc, 0x33, 0xc9, + 0xa8, 0x3b, 0xd6, 0xef, 0x78, 0xc7, 0x54, 0x22, 0xea, 0x92, 0x19, 0xcd, 0xfa, 0x0b, 0x0b, 0xd9, + 0x72, 0x8d, 0x1c, 0x05, 0x8c, 0xe3, 0x1f, 0x6e, 0xad, 0x12, 0x77, 0xb1, 0xd2, 0x09, 0xb6, 0x5c, + 0x24, 0x9b, 0xaa, 0x2b, 0x2b, 0xda, 0x52, 0x58, 0x23, 0x67, 0xa8, 0x1c, 0x70, 0x08, 0x99, 0x73, + 0x6f, 0xbb, 0xd4, 0x58, 0xdd, 0xf7, 0x16, 0x6f, 0x01, 0x19, 0x61, 0x73, 0x4d, 0x0f, 0x67, 0x4b, + 0xa8, 0x90, 0x4c, 0xac, 0xfe, 0x87, 0x85, 0xd6, 0xbf, 0xa0, 0x71, 0x9a, 0x10, 0xc8, 0x3a, 0x8e, + 0xe1, 0x77, 0x51, 0xb9, 0x2f, 0x2c, 0x32, 0x07, 0xdb, 0xf0, 0x32, 0x58, 0xe6, 0x13, 0x1d, 0x4c, + 0x35, 0x43, 0x46, 0xa4, 0x3a, 0x38, 0x97, 0x21, 0xc6, 0x8f, 0x9f, 0x88, 0xf7, 0x9d, 0x1d, 0x8e, + 0xfd, 0x10, 0x98, 0x53, 0x92, 0x04, 0xf5, 0x16, 0x0b, 0x0e, 0x32, 0x8d, 0xab, 0xff, 0x56, 0x42, + 0x1b, 0x33, 0x0d, 0x8c, 0x77, 0x50, 0x45, 0x83, 0x54, 0x84, 0x79, 0xd5, 0xb4, 0x16, 0xc9, 0x11, + 0xd8, 0x43, 0x76, 0x24, 0xa4, 0x12, 0xbf, 0x0b, 0x6a, 0x01, 0xe7, 0x2b, 0xf2, 0x58, 0x3b, 0x88, + 0xc1, 0x88, 0x85, 0x23, 0x0e, 0x72, 0xf5, 0x16, 0x16, 0x8e, 0xc0, 0x12, 0xe9, 0xc1, 0x4d, 0x54, + 0x4a, 0x83, 0x9e, 0x5a, 0xa0, 0xbb, 0x0a, 0x50, 0x6a, 0x2f, 0xba, 0x3c, 0x05, 0x59, 0xac, 0x42, + 0x3f, 0x09, 0x9e, 0x03, 0x65, 0x41, 0x1c, 0xa9, 0xed, 0x99, 0xaf, 0xc2, 0xc3, 0x93, 0x96, 0xf2, + 0x90, 0x02, 0x0a, 0x1f, 0xa2, 0x0d, 0x9d, 0x96, 0x26, 0x66, 0x3b, 0xf4, 0xb1, 0x22, 0x6e, 0x90, + 0x69, 0x37, 0x99, 0xc5, 0xe3, 0x8f, 0xd1, 0x2a, 0x4b, 0x3b, 0x79, 0xf9, 0xb2, 0xa5, 0xfa, 0x48, + 0xd1, 0x57, 0x4f, 0x8d, 0x8b, 0x14, 0x71, 0xf5, 0xbf, 0x2d, 0x74, 0xff, 0x24, 0x1e, 0x06, 0xdd, + 0xcb, 0x37, 0xf0, 0xb9, 0xfc, 0x16, 0x95, 0x69, 0x3a, 0x04, 0xdd, 0xe7, 0x07, 0x8b, 0xf7, 0x79, + 0x16, 0x22, 0x49, 0x87, 0x60, 0x9a, 0x56, 0x9c, 0x18, 0xc9, 0x14, 0xeb, 0x7f, 0x5a, 0x08, 0x65, + 0xa0, 0x37, 0x30, 0xaf, 0xed, 0xe9, 0x79, 0xdd, 0xbd, 0x6b, 0x1e, 0x73, 0x06, 0xf6, 0x45, 0x49, + 0xe7, 0x20, 0x52, 0x33, 0x3f, 0x17, 0xd6, 0x22, 0x3f, 0x17, 0x35, 0x54, 0x16, 0x5f, 0x3a, 0x3d, + 0xb1, 0xb6, 0x40, 0x8a, 0x0f, 0x12, 0x23, 0x99, 0x1d, 0xbb, 0x08, 0x89, 0x07, 0x39, 0xea, 0x7a, + 0x4c, 0xd7, 0xc5, 0xab, 0x6a, 0xe7, 0x56, 0x52, 0x40, 0x08, 0x41, 0xf1, 0x11, 0x66, 0xce, 0xb2, + 0x11, 0x14, 0xdf, 0x66, 0x46, 0x32, 0x3b, 0x0e, 0x8a, 0x7b, 0xa2, 0x2c, 0x2b, 0xf1, 0x74, 0xf1, + 0x4a, 0x4c, 0x6f, 0x26, 0x33, 0xb9, 0xaf, 0xdd, 0x32, 0x2e, 0x42, 0xf9, 0x18, 0x33, 0xe7, 0xbe, + 0x89, 0x3d, 0x9f, 0x73, 0x46, 0x0a, 0x08, 0xfc, 0x19, 0xda, 0x88, 0xe2, 0x48, 0x4b, 0xb5, 0xc9, + 0x11, 0x73, 0x56, 0x24, 0xe9, 0x91, 0x98, 0xa5, 0xe3, 0x69, 0x17, 0x99, 0xc5, 0xe2, 0x27, 0x08, + 0xc5, 0x61, 0xc0, 0xe5, 0x1f, 0x0e, 0x73, 0x2a, 0x92, 0xf9, 0x58, 0x76, 0x75, 0x6e, 0x35, 0x7f, + 0x40, 0x05, 0x68, 0xd3, 0xbd, 0xba, 0xae, 0x2e, 0xbd, 0xbc, 0xae, 0x2e, 0xbd, 0xba, 0xae, 0x2e, + 0xfd, 0x3a, 0xa9, 0x5a, 0x57, 0x93, 0xaa, 0xf5, 0x72, 0x52, 0xb5, 0x5e, 0x4d, 0xaa, 0xd6, 0x3f, + 0x93, 0xaa, 0xf5, 0xfb, 0xbf, 0xd5, 0xa5, 0xef, 0x2a, 0xba, 0x08, 0xff, 0x05, 0x00, 0x00, 0xff, + 0xff, 0x92, 0xdb, 0xa5, 0x50, 0x5a, 0x0c, 0x00, 0x00, } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.proto b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.proto index 9cf0627b1a8..3ab6575311e 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.proto +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.proto @@ -205,5 +205,9 @@ message PolicyRule { // "/healthz*" - Log all health checks // +optional repeated string nonResourceURLs = 7; + + // OmitStages specify events generated in which stages will not be emitted to backend. + // An empty list means no restrictions will apply. + repeated string omitStages = 8; } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go index 9eaaa111136..768a515b0cd 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go @@ -208,6 +208,10 @@ type PolicyRule struct { // "/healthz*" - Log all health checks // +optional NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,7,rep,name=nonResourceURLs"` + + // OmitStages specify events generated in which stages will not be emitted to backend. + // An empty list means no restrictions will apply. + OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"` } // GroupResources represents resource kinds in an API group. diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.conversion.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.conversion.go index bdf1fad1018..107268f4a54 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.conversion.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.conversion.go @@ -264,6 +264,7 @@ func autoConvert_v1alpha1_PolicyRule_To_audit_PolicyRule(in *PolicyRule, out *au out.Resources = *(*[]audit.GroupResources)(unsafe.Pointer(&in.Resources)) out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) + out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages)) return nil } @@ -280,6 +281,7 @@ func autoConvert_audit_PolicyRule_To_v1alpha1_PolicyRule(in *audit.PolicyRule, o out.Resources = *(*[]GroupResources)(unsafe.Pointer(&in.Resources)) out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) + out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages)) return nil } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go index 19a737bf75f..7b0029e933a 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go @@ -327,6 +327,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.OmitStages != nil { + in, out := &in.OmitStages, &out.OmitStages + *out = make([]Stage, len(*in)) + copy(*out, *in) + } return } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.pb.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.pb.go index 5cc140b263e..eaf98883bb5 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.pb.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.pb.go @@ -547,6 +547,21 @@ func (m *PolicyRule) MarshalTo(dAtA []byte) (int, error) { i += copy(dAtA[i:], s) } } + if len(m.OmitStages) > 0 { + for _, s := range m.OmitStages { + dAtA[i] = 0x42 + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } return i, nil } @@ -750,6 +765,12 @@ func (m *PolicyRule) Size() (n int) { n += 1 + l + sovGenerated(uint64(l)) } } + if len(m.OmitStages) > 0 { + for _, s := range m.OmitStages { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } return n } @@ -863,6 +884,7 @@ func (this *PolicyRule) String() string { `Resources:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Resources), "GroupResources", "GroupResources", 1), `&`, ``, 1) + `,`, `Namespaces:` + fmt.Sprintf("%v", this.Namespaces) + `,`, `NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`, + `OmitStages:` + fmt.Sprintf("%v", this.OmitStages) + `,`, `}`, }, "") return s @@ -2340,6 +2362,35 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error { } m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex])) iNdEx = postIndex + case 8: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field OmitStages", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.OmitStages = append(m.OmitStages, Stage(dAtA[iNdEx:postIndex])) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) @@ -2471,76 +2522,78 @@ func init() { } var fileDescriptorGenerated = []byte{ - // 1131 bytes of a gzipped FileDescriptorProto + // 1153 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4f, 0x6f, 0x1b, 0x45, - 0x14, 0xcf, 0xd6, 0x71, 0xe2, 0x9d, 0x34, 0x7f, 0x3a, 0x45, 0xb0, 0xca, 0xc1, 0x0e, 0x46, 0x82, - 0x08, 0xd2, 0xdd, 0xa6, 0x2d, 0x34, 0x17, 0x0e, 0xb1, 0x8a, 0xc0, 0x52, 0x08, 0xd1, 0x24, 0xae, - 0x10, 0x70, 0x60, 0x6c, 0xbf, 0xd8, 0x4b, 0xec, 0xdd, 0x65, 0x66, 0xd6, 0x28, 0x37, 0x2e, 0xdc, - 0xb9, 0xf3, 0x2d, 0xf8, 0x00, 0x08, 0x09, 0x0e, 0x39, 0xf6, 0xd8, 0x93, 0x45, 0xcc, 0xb7, 0xc8, - 0x09, 0xcd, 0xec, 0xec, 0xce, 0xae, 0x5d, 0x53, 0xe7, 0xd2, 0x9b, 0xe7, 0xbd, 0xdf, 0xef, 0x37, - 0xef, 0xbd, 0x79, 0xef, 0xad, 0xd1, 0xc9, 0xc5, 0x01, 0x77, 0xfd, 0xd0, 0xbb, 0x88, 0xdb, 0xc0, - 0x02, 0x10, 0xc0, 0xbd, 0x11, 0x04, 0xdd, 0x90, 0x79, 0xda, 0x41, 0x23, 0x9f, 0x03, 0x1b, 0x01, - 0xf3, 0xa2, 0x8b, 0x9e, 0x3a, 0x79, 0x34, 0xee, 0xfa, 0xc2, 0x1b, 0xed, 0xb7, 0x41, 0xd0, 0x7d, - 0xaf, 0x07, 0x01, 0x30, 0x2a, 0xa0, 0xeb, 0x46, 0x2c, 0x14, 0x21, 0xfe, 0x20, 0x21, 0xba, 0x19, - 0xd1, 0x8d, 0x2e, 0x7a, 0xea, 0xe4, 0x2a, 0xa2, 0xab, 0x89, 0xdb, 0x0f, 0x7a, 0xbe, 0xe8, 0xc7, - 0x6d, 0xb7, 0x13, 0x0e, 0xbd, 0x5e, 0xd8, 0x0b, 0x3d, 0xc5, 0x6f, 0xc7, 0xe7, 0xea, 0xa4, 0x0e, - 0xea, 0x57, 0xa2, 0xbb, 0xbd, 0x67, 0x02, 0xf2, 0x68, 0x2c, 0xfa, 0x10, 0x08, 0xbf, 0x43, 0x85, - 0x1f, 0x06, 0xde, 0x68, 0x26, 0x8a, 0xed, 0x27, 0x06, 0x3d, 0xa4, 0x9d, 0xbe, 0x1f, 0x00, 0xbb, - 0x34, 0x19, 0x0c, 0x41, 0xd0, 0x57, 0xb1, 0xbc, 0x79, 0x2c, 0x16, 0x07, 0xc2, 0x1f, 0xc2, 0x0c, - 0xe1, 0x93, 0xd7, 0x11, 0x78, 0xa7, 0x0f, 0x43, 0x3a, 0xc3, 0x7b, 0x3c, 0x8f, 0x17, 0x0b, 0x7f, - 0xe0, 0xf9, 0x81, 0xe0, 0x82, 0xcd, 0x90, 0x0e, 0x5e, 0xff, 0x24, 0x74, 0x10, 0xf5, 0x67, 0xdf, - 0xa4, 0xfe, 0x57, 0x05, 0x95, 0x3f, 0x1b, 0x41, 0x20, 0xf0, 0xf7, 0xa8, 0x22, 0x93, 0xef, 0x52, - 0x41, 0x1d, 0x6b, 0xc7, 0xda, 0x5d, 0x7b, 0xf4, 0xd0, 0x35, 0x0f, 0x96, 0xc5, 0x62, 0xde, 0x4c, - 0xa2, 0xdd, 0xd1, 0xbe, 0xfb, 0x55, 0xfb, 0x07, 0xe8, 0x88, 0x2f, 0x41, 0xd0, 0x06, 0xbe, 0x1a, - 0xd7, 0x96, 0x26, 0xe3, 0x1a, 0x32, 0x36, 0x92, 0xa9, 0xe2, 0x3d, 0x54, 0x1e, 0xc0, 0x08, 0x06, - 0xce, 0x9d, 0x1d, 0x6b, 0xd7, 0x6e, 0xbc, 0xad, 0xc1, 0xe5, 0x23, 0x69, 0xbc, 0x49, 0x7f, 0x90, - 0x04, 0x84, 0xbf, 0x45, 0xb6, 0xac, 0x13, 0x17, 0x74, 0x18, 0x39, 0x25, 0x15, 0xd0, 0x87, 0x8b, - 0x05, 0x74, 0xe6, 0x0f, 0xa1, 0x71, 0x4f, 0xab, 0xdb, 0x67, 0xa9, 0x08, 0x31, 0x7a, 0xf8, 0x18, - 0xad, 0xaa, 0xc2, 0x34, 0x9f, 0x39, 0xcb, 0x2a, 0x98, 0x27, 0x1a, 0xbe, 0x7a, 0x98, 0x98, 0x6f, - 0xc6, 0xb5, 0x77, 0xe7, 0xbd, 0x84, 0xb8, 0x8c, 0x80, 0xbb, 0xad, 0xe6, 0x33, 0x92, 0x8a, 0xc8, - 0xd4, 0xb8, 0xa0, 0x3d, 0x70, 0xca, 0xc5, 0xd4, 0x4e, 0xa5, 0xf1, 0x26, 0xfd, 0x41, 0x12, 0x10, - 0x7e, 0x84, 0x10, 0x83, 0x1f, 0x63, 0xe0, 0xa2, 0x45, 0x9a, 0xce, 0x8a, 0xa2, 0x64, 0xa5, 0x23, - 0x99, 0x87, 0xe4, 0x50, 0x78, 0x07, 0x2d, 0x8f, 0x80, 0xb5, 0x9d, 0x55, 0x85, 0xbe, 0xab, 0xd1, - 0xcb, 0xcf, 0x81, 0xb5, 0x89, 0xf2, 0xe0, 0x2f, 0xd0, 0x72, 0xcc, 0x81, 0x39, 0x15, 0x55, 0xab, - 0xf7, 0x73, 0xb5, 0x72, 0x8b, 0x53, 0x21, 0x6b, 0xd4, 0xe2, 0xc0, 0x9a, 0xc1, 0x79, 0x68, 0x94, - 0xa4, 0x85, 0x28, 0x05, 0xdc, 0x47, 0x5b, 0xfe, 0x30, 0x02, 0xc6, 0xc3, 0x40, 0xb6, 0x8a, 0xf4, - 0x38, 0xf6, 0xad, 0x54, 0xdf, 0x9a, 0x8c, 0x6b, 0x5b, 0xcd, 0x29, 0x0d, 0x32, 0xa3, 0x8a, 0x3f, - 0x42, 0x36, 0x0f, 0x63, 0xd6, 0x81, 0xe6, 0x09, 0x77, 0xd0, 0x4e, 0x69, 0xd7, 0x6e, 0xac, 0xcb, - 0x47, 0x3b, 0x4d, 0x8d, 0xc4, 0xf8, 0x31, 0x20, 0x3b, 0x54, 0x7d, 0x45, 0xe0, 0xdc, 0x59, 0x53, - 0xf1, 0x1c, 0xb8, 0x0b, 0xee, 0x14, 0xdd, 0xa5, 0x04, 0xce, 0x81, 0x41, 0xd0, 0x81, 0xe4, 0x9a, - 0xcc, 0x48, 0x8c, 0x32, 0xee, 0xa3, 0x0d, 0x06, 0x3c, 0x0a, 0x03, 0x0e, 0xa7, 0x82, 0x8a, 0x98, - 0x3b, 0x77, 0xd5, 0x5d, 0x7b, 0x8b, 0x75, 0x5f, 0xc2, 0x69, 0xe0, 0xc9, 0xb8, 0xb6, 0x41, 0x0a, - 0x3a, 0x64, 0x4a, 0x17, 0x53, 0xb4, 0xae, 0x5f, 0x38, 0x09, 0xc4, 0x59, 0x57, 0x17, 0xed, 0xce, - 0xbd, 0x48, 0xef, 0x0e, 0xb7, 0x15, 0x5c, 0x04, 0xe1, 0x4f, 0x41, 0xe3, 0xde, 0x64, 0x5c, 0x5b, - 0x27, 0x79, 0x09, 0x52, 0x54, 0xc4, 0x5d, 0x93, 0x8c, 0xbe, 0x63, 0xe3, 0x96, 0x77, 0x14, 0x12, - 0xd1, 0x97, 0x4c, 0x69, 0xd6, 0xff, 0xb0, 0x90, 0xad, 0xb6, 0xc8, 0x91, 0xcf, 0x05, 0xfe, 0x6e, - 0x66, 0x93, 0xb8, 0x8b, 0x95, 0x4e, 0xb2, 0xd5, 0x1e, 0xd9, 0xd2, 0x4d, 0x59, 0x49, 0x2d, 0xb9, - 0x2d, 0x72, 0x8a, 0xca, 0xbe, 0x80, 0x21, 0x77, 0xee, 0xec, 0x94, 0xa6, 0xa4, 0xff, 0xbf, 0x03, - 0x54, 0x80, 0x8d, 0xf5, 0x74, 0x34, 0x9b, 0x52, 0x84, 0x24, 0x5a, 0xf5, 0xdf, 0x2c, 0xb4, 0xf1, - 0x39, 0x0b, 0xe3, 0x88, 0x40, 0xd2, 0x6f, 0x1c, 0xbf, 0x87, 0xca, 0x3d, 0x69, 0x51, 0x29, 0xd8, - 0x86, 0x97, 0xc0, 0x12, 0x9f, 0xec, 0x5f, 0x96, 0x32, 0x54, 0x40, 0xba, 0x7f, 0x33, 0x19, 0x62, - 0xfc, 0xf8, 0xa9, 0x7c, 0xee, 0xe4, 0x70, 0x4c, 0x87, 0xc0, 0x9d, 0x92, 0x22, 0xe8, 0x47, 0xcc, - 0x39, 0x48, 0x11, 0x57, 0xff, 0xbd, 0x84, 0x36, 0xa7, 0xfa, 0x17, 0xef, 0xa1, 0x4a, 0x0a, 0xd2, - 0x11, 0x66, 0x45, 0x4b, 0xb5, 0x48, 0x86, 0xc0, 0x1e, 0xb2, 0x03, 0x29, 0x15, 0xd1, 0x0e, 0xe8, - 0xf5, 0x9b, 0x2d, 0xc8, 0xe3, 0xd4, 0x41, 0x0c, 0x46, 0xae, 0x1b, 0x79, 0x50, 0x8b, 0x37, 0xb7, - 0x6e, 0x24, 0x96, 0x28, 0x0f, 0x6e, 0xa0, 0x52, 0xec, 0x77, 0xf5, 0xfa, 0x7c, 0xa8, 0x01, 0xa5, - 0xd6, 0xa2, 0xab, 0x53, 0x92, 0x65, 0x12, 0x34, 0xf2, 0x55, 0x45, 0xf5, 0xe6, 0xcc, 0x92, 0x38, - 0x3c, 0x69, 0x26, 0x95, 0xce, 0x10, 0x72, 0x6d, 0xd2, 0xc8, 0x7f, 0x0e, 0x8c, 0xfb, 0x61, 0x30, - 0xbd, 0x36, 0x0f, 0x4f, 0x9a, 0xda, 0x43, 0x72, 0x28, 0x7c, 0x88, 0x36, 0xd3, 0x22, 0xa4, 0xc4, - 0x64, 0x83, 0xbe, 0xa3, 0x89, 0x9b, 0xa4, 0xe8, 0x26, 0xd3, 0x78, 0xfc, 0x31, 0x5a, 0xe3, 0x71, - 0x3b, 0x2b, 0x76, 0x45, 0xd1, 0xef, 0x6b, 0xfa, 0xda, 0xa9, 0x71, 0x91, 0x3c, 0xae, 0xfe, 0xb7, - 0x85, 0x56, 0x4e, 0xc2, 0x81, 0xdf, 0xb9, 0x7c, 0x03, 0x9f, 0xd6, 0xaf, 0x51, 0x99, 0xc5, 0x03, - 0x48, 0x87, 0xe2, 0xf1, 0xc2, 0x43, 0x91, 0x44, 0x48, 0xe2, 0x01, 0x98, 0x0e, 0x97, 0x27, 0x4e, - 0x12, 0xc1, 0xfa, 0x9f, 0x16, 0x42, 0x09, 0xe8, 0x0d, 0xcc, 0xf6, 0x59, 0x71, 0xb6, 0xbd, 0x5b, - 0xa6, 0x31, 0x67, 0xb8, 0x7f, 0x29, 0xa5, 0x29, 0xc8, 0xcc, 0xcc, 0xdf, 0x10, 0x6b, 0x91, 0xbf, - 0x21, 0x35, 0x54, 0x96, 0xdf, 0xc4, 0x74, 0xba, 0x6d, 0x89, 0x94, 0x9f, 0x2e, 0x4e, 0x12, 0x3b, - 0x76, 0x11, 0x92, 0x3f, 0x54, 0x8b, 0xa6, 0x23, 0xbd, 0x21, 0x1f, 0xaa, 0x95, 0x59, 0x49, 0x0e, - 0x21, 0x05, 0xe5, 0xe7, 0x9a, 0x3b, 0xcb, 0x46, 0x50, 0x7e, 0xc5, 0x39, 0x49, 0xec, 0xb8, 0x9f, - 0xdf, 0x29, 0x65, 0x55, 0x88, 0xa7, 0x0b, 0x17, 0xa2, 0xb8, 0xc4, 0xcc, 0x90, 0xbf, 0x72, 0x21, - 0xb9, 0x08, 0x65, 0x13, 0xcf, 0x9d, 0x15, 0x13, 0x7a, 0xb6, 0x12, 0x38, 0xc9, 0x21, 0xf0, 0xa7, - 0x68, 0x33, 0x08, 0x83, 0x54, 0xaa, 0x45, 0x8e, 0xb8, 0xb3, 0xaa, 0x48, 0xf7, 0xe5, 0x20, 0x1d, - 0x17, 0x5d, 0x64, 0x1a, 0xdb, 0x78, 0x70, 0x75, 0x5d, 0x5d, 0x7a, 0x71, 0x5d, 0x5d, 0x7a, 0x79, - 0x5d, 0x5d, 0xfa, 0x79, 0x52, 0xb5, 0xae, 0x26, 0x55, 0xeb, 0xc5, 0xa4, 0x6a, 0xbd, 0x9c, 0x54, - 0xad, 0x7f, 0x26, 0x55, 0xeb, 0xd7, 0x7f, 0xab, 0x4b, 0xdf, 0xac, 0xea, 0x54, 0xfe, 0x0b, 0x00, - 0x00, 0xff, 0xff, 0x88, 0x33, 0xe9, 0x19, 0x81, 0x0c, 0x00, 0x00, + 0x14, 0xcf, 0xd6, 0x71, 0xe2, 0x9d, 0x34, 0x7f, 0x3a, 0x45, 0x74, 0x95, 0x83, 0x1d, 0x8c, 0x04, + 0x11, 0xa4, 0xbb, 0x4d, 0x5b, 0x48, 0x2e, 0x1c, 0x62, 0x15, 0x81, 0xa5, 0x10, 0xa2, 0x49, 0x5c, + 0x21, 0xe0, 0xc0, 0xd8, 0x7e, 0xb1, 0x97, 0x78, 0xff, 0x30, 0x33, 0x6b, 0x94, 0x1b, 0x1f, 0x81, + 0x3b, 0xdf, 0x82, 0x0f, 0x50, 0x21, 0xc1, 0x21, 0xc7, 0x1e, 0x7b, 0xb2, 0x88, 0xf9, 0x16, 0x39, + 0xa1, 0x99, 0x9d, 0xdd, 0x59, 0xdb, 0x4d, 0xeb, 0x5c, 0x7a, 0xdb, 0x7d, 0xef, 0xf7, 0xfb, 0xcd, + 0x7b, 0x6f, 0xde, 0x7b, 0xbb, 0xe8, 0xf8, 0x7c, 0x9f, 0xbb, 0x7e, 0xe4, 0x9d, 0x27, 0x6d, 0x60, + 0x21, 0x08, 0xe0, 0xde, 0x10, 0xc2, 0x6e, 0xc4, 0x3c, 0xed, 0xa0, 0xb1, 0xcf, 0x81, 0x0d, 0x81, + 0x79, 0xf1, 0x79, 0x4f, 0xbd, 0x79, 0x34, 0xe9, 0xfa, 0xc2, 0x1b, 0xee, 0xb6, 0x41, 0xd0, 0x5d, + 0xaf, 0x07, 0x21, 0x30, 0x2a, 0xa0, 0xeb, 0xc6, 0x2c, 0x12, 0x11, 0xfe, 0x38, 0x25, 0xba, 0x39, + 0xd1, 0x8d, 0xcf, 0x7b, 0xea, 0xcd, 0x55, 0x44, 0x57, 0x13, 0x37, 0x1f, 0xf6, 0x7c, 0xd1, 0x4f, + 0xda, 0x6e, 0x27, 0x0a, 0xbc, 0x5e, 0xd4, 0x8b, 0x3c, 0xc5, 0x6f, 0x27, 0x67, 0xea, 0x4d, 0xbd, + 0xa8, 0xa7, 0x54, 0x77, 0x73, 0xc7, 0x04, 0xe4, 0xd1, 0x44, 0xf4, 0x21, 0x14, 0x7e, 0x87, 0x0a, + 0x3f, 0x0a, 0xbd, 0xe1, 0x4c, 0x14, 0x9b, 0x4f, 0x0d, 0x3a, 0xa0, 0x9d, 0xbe, 0x1f, 0x02, 0xbb, + 0x30, 0x19, 0x04, 0x20, 0xe8, 0xeb, 0x58, 0xde, 0x4d, 0x2c, 0x96, 0x84, 0xc2, 0x0f, 0x60, 0x86, + 0xf0, 0xf9, 0xdb, 0x08, 0xbc, 0xd3, 0x87, 0x80, 0xce, 0xf0, 0x9e, 0xdc, 0xc4, 0x4b, 0x84, 0x3f, + 0xf0, 0xfc, 0x50, 0x70, 0xc1, 0x66, 0x48, 0xfb, 0x6f, 0xbf, 0x12, 0x3a, 0x88, 0xfb, 0xb3, 0x77, + 0x52, 0xff, 0xbb, 0x82, 0xca, 0x5f, 0x0e, 0x21, 0x14, 0xf8, 0x27, 0x54, 0x91, 0xc9, 0x77, 0xa9, + 0xa0, 0x8e, 0xb5, 0x65, 0x6d, 0xaf, 0x3c, 0x7e, 0xe4, 0x9a, 0x0b, 0xcb, 0x63, 0x31, 0x77, 0x26, + 0xd1, 0xee, 0x70, 0xd7, 0xfd, 0xb6, 0xfd, 0x33, 0x74, 0xc4, 0x37, 0x20, 0x68, 0x03, 0x5f, 0x8e, + 0x6a, 0x0b, 0xe3, 0x51, 0x0d, 0x19, 0x1b, 0xc9, 0x55, 0xf1, 0x0e, 0x2a, 0x0f, 0x60, 0x08, 0x03, + 0xe7, 0xce, 0x96, 0xb5, 0x6d, 0x37, 0xde, 0xd7, 0xe0, 0xf2, 0xa1, 0x34, 0x5e, 0x67, 0x0f, 0x24, + 0x05, 0xe1, 0x1f, 0x90, 0x2d, 0xeb, 0xc4, 0x05, 0x0d, 0x62, 0xa7, 0xa4, 0x02, 0xfa, 0x64, 0xbe, + 0x80, 0x4e, 0xfd, 0x00, 0x1a, 0xf7, 0xb4, 0xba, 0x7d, 0x9a, 0x89, 0x10, 0xa3, 0x87, 0x8f, 0xd0, + 0xb2, 0x2a, 0x4c, 0xf3, 0x99, 0xb3, 0xa8, 0x82, 0x79, 0xaa, 0xe1, 0xcb, 0x07, 0xa9, 0xf9, 0x7a, + 0x54, 0xfb, 0xe0, 0xa6, 0x9b, 0x10, 0x17, 0x31, 0x70, 0xb7, 0xd5, 0x7c, 0x46, 0x32, 0x11, 0x99, + 0x1a, 0x17, 0xb4, 0x07, 0x4e, 0x79, 0x32, 0xb5, 0x13, 0x69, 0xbc, 0xce, 0x1e, 0x48, 0x0a, 0xc2, + 0x8f, 0x11, 0x62, 0xf0, 0x4b, 0x02, 0x5c, 0xb4, 0x48, 0xd3, 0x59, 0x52, 0x94, 0xbc, 0x74, 0x24, + 0xf7, 0x90, 0x02, 0x0a, 0x6f, 0xa1, 0xc5, 0x21, 0xb0, 0xb6, 0xb3, 0xac, 0xd0, 0x77, 0x35, 0x7a, + 0xf1, 0x39, 0xb0, 0x36, 0x51, 0x1e, 0xfc, 0x35, 0x5a, 0x4c, 0x38, 0x30, 0xa7, 0xa2, 0x6a, 0xf5, + 0x51, 0xa1, 0x56, 0xee, 0xe4, 0x54, 0xc8, 0x1a, 0xb5, 0x38, 0xb0, 0x66, 0x78, 0x16, 0x19, 0x25, + 0x69, 0x21, 0x4a, 0x01, 0xf7, 0xd1, 0x86, 0x1f, 0xc4, 0xc0, 0x78, 0x14, 0xca, 0x56, 0x91, 0x1e, + 0xc7, 0xbe, 0x95, 0xea, 0x7b, 0xe3, 0x51, 0x6d, 0xa3, 0x39, 0xa5, 0x41, 0x66, 0x54, 0xf1, 0xa7, + 0xc8, 0xe6, 0x51, 0xc2, 0x3a, 0xd0, 0x3c, 0xe6, 0x0e, 0xda, 0x2a, 0x6d, 0xdb, 0x8d, 0x55, 0x79, + 0x69, 0x27, 0x99, 0x91, 0x18, 0x3f, 0x06, 0x64, 0x47, 0xaa, 0xaf, 0x08, 0x9c, 0x39, 0x2b, 0x2a, + 0x9e, 0x7d, 0x77, 0xce, 0x9d, 0xa2, 0xbb, 0x94, 0xc0, 0x19, 0x30, 0x08, 0x3b, 0x90, 0x1e, 0x93, + 0x1b, 0x89, 0x51, 0xc6, 0x7d, 0xb4, 0xc6, 0x80, 0xc7, 0x51, 0xc8, 0xe1, 0x44, 0x50, 0x91, 0x70, + 0xe7, 0xae, 0x3a, 0x6b, 0x67, 0xbe, 0xee, 0x4b, 0x39, 0x0d, 0x3c, 0x1e, 0xd5, 0xd6, 0xc8, 0x84, + 0x0e, 0x99, 0xd2, 0xc5, 0x14, 0xad, 0xea, 0x1b, 0x4e, 0x03, 0x71, 0x56, 0xd5, 0x41, 0xdb, 0x37, + 0x1e, 0xa4, 0x77, 0x87, 0xdb, 0x0a, 0xcf, 0xc3, 0xe8, 0xd7, 0xb0, 0x71, 0x6f, 0x3c, 0xaa, 0xad, + 0x92, 0xa2, 0x04, 0x99, 0x54, 0xc4, 0x5d, 0x93, 0x8c, 0x3e, 0x63, 0xed, 0x96, 0x67, 0x4c, 0x24, + 0xa2, 0x0f, 0x99, 0xd2, 0xac, 0xbf, 0xb0, 0x90, 0xad, 0xb6, 0xc8, 0xa1, 0xcf, 0x05, 0xfe, 0x71, + 0x66, 0x93, 0xb8, 0xf3, 0x95, 0x4e, 0xb2, 0xd5, 0x1e, 0xd9, 0xd0, 0x4d, 0x59, 0xc9, 0x2c, 0x85, + 0x2d, 0x72, 0x82, 0xca, 0xbe, 0x80, 0x80, 0x3b, 0x77, 0xb6, 0x4a, 0x53, 0xd2, 0x6f, 0xee, 0x00, + 0x15, 0x60, 0x63, 0x35, 0x1b, 0xcd, 0xa6, 0x14, 0x21, 0xa9, 0x56, 0xfd, 0x0f, 0x0b, 0xad, 0x7d, + 0xc5, 0xa2, 0x24, 0x26, 0x90, 0xf6, 0x1b, 0xc7, 0x1f, 0xa2, 0x72, 0x4f, 0x5a, 0x54, 0x0a, 0xb6, + 0xe1, 0xa5, 0xb0, 0xd4, 0x27, 0xfb, 0x97, 0x65, 0x0c, 0x15, 0x90, 0xee, 0xdf, 0x5c, 0x86, 0x18, + 0x3f, 0xde, 0x93, 0xd7, 0x9d, 0xbe, 0x1c, 0xd1, 0x00, 0xb8, 0x53, 0x52, 0x04, 0x7d, 0x89, 0x05, + 0x07, 0x99, 0xc4, 0xd5, 0xff, 0x2c, 0xa1, 0xf5, 0xa9, 0xfe, 0xc5, 0x3b, 0xa8, 0x92, 0x81, 0x74, + 0x84, 0x79, 0xd1, 0x32, 0x2d, 0x92, 0x23, 0xb0, 0x87, 0xec, 0x50, 0x4a, 0xc5, 0xb4, 0x03, 0x7a, + 0xfd, 0xe6, 0x0b, 0xf2, 0x28, 0x73, 0x10, 0x83, 0x91, 0xeb, 0x46, 0xbe, 0xa8, 0xc5, 0x5b, 0x58, + 0x37, 0x12, 0x4b, 0x94, 0x07, 0x37, 0x50, 0x29, 0xf1, 0xbb, 0x7a, 0x7d, 0x3e, 0xd2, 0x80, 0x52, + 0x6b, 0xde, 0xd5, 0x29, 0xc9, 0x32, 0x09, 0x1a, 0xfb, 0xaa, 0xa2, 0x7a, 0x73, 0xe6, 0x49, 0x1c, + 0x1c, 0x37, 0xd3, 0x4a, 0xe7, 0x08, 0xb9, 0x36, 0x69, 0xec, 0x3f, 0x07, 0xc6, 0xfd, 0x28, 0x9c, + 0x5e, 0x9b, 0x07, 0xc7, 0x4d, 0xed, 0x21, 0x05, 0x14, 0x3e, 0x40, 0xeb, 0x59, 0x11, 0x32, 0x62, + 0xba, 0x41, 0x1f, 0x68, 0xe2, 0x3a, 0x99, 0x74, 0x93, 0x69, 0x3c, 0xfe, 0x0c, 0xad, 0xf0, 0xa4, + 0x9d, 0x17, 0xbb, 0xa2, 0xe8, 0xf7, 0x35, 0x7d, 0xe5, 0xc4, 0xb8, 0x48, 0x11, 0x57, 0xff, 0xc7, + 0x42, 0x4b, 0xc7, 0xd1, 0xc0, 0xef, 0x5c, 0xbc, 0x83, 0x4f, 0xeb, 0x77, 0xa8, 0xcc, 0x92, 0x01, + 0x64, 0x43, 0xf1, 0x64, 0xee, 0xa1, 0x48, 0x23, 0x24, 0xc9, 0x00, 0x4c, 0x87, 0xcb, 0x37, 0x4e, + 0x52, 0xc1, 0xfa, 0x5f, 0x16, 0x42, 0x29, 0xe8, 0x1d, 0xcc, 0xf6, 0xe9, 0xe4, 0x6c, 0x7b, 0xb7, + 0x4c, 0xe3, 0x86, 0xe1, 0x7e, 0x51, 0xca, 0x52, 0x90, 0x99, 0x99, 0xdf, 0x10, 0x6b, 0x9e, 0xdf, + 0x90, 0x1a, 0x2a, 0xcb, 0x6f, 0x62, 0x36, 0xdd, 0xb6, 0x44, 0xca, 0x4f, 0x17, 0x27, 0xa9, 0x1d, + 0xbb, 0x08, 0xc9, 0x07, 0xd5, 0xa2, 0xd9, 0x48, 0xaf, 0xc9, 0x8b, 0x6a, 0xe5, 0x56, 0x52, 0x40, + 0x48, 0x41, 0xf9, 0xb9, 0xe6, 0xce, 0xa2, 0x11, 0x94, 0x5f, 0x71, 0x4e, 0x52, 0x3b, 0xee, 0x17, + 0x77, 0x4a, 0x59, 0x15, 0x62, 0x6f, 0xee, 0x42, 0x4c, 0x2e, 0x31, 0x33, 0xe4, 0xaf, 0x5d, 0x48, + 0x2e, 0x42, 0xf9, 0xc4, 0x73, 0x67, 0xc9, 0x84, 0x9e, 0xaf, 0x04, 0x4e, 0x0a, 0x08, 0xfc, 0x05, + 0x5a, 0x0f, 0xa3, 0x30, 0x93, 0x6a, 0x91, 0x43, 0xee, 0x2c, 0x2b, 0xd2, 0x7d, 0x39, 0x48, 0x47, + 0x93, 0x2e, 0x32, 0x8d, 0xc5, 0x7b, 0x08, 0x45, 0x81, 0x2f, 0xd4, 0xaf, 0x10, 0x77, 0x2a, 0x8a, + 0xf9, 0x40, 0xb5, 0x74, 0x6e, 0x35, 0xbf, 0x4a, 0x05, 0x68, 0xe3, 0xe1, 0xe5, 0x55, 0x75, 0xe1, + 0xe5, 0x55, 0x75, 0xe1, 0xd5, 0x55, 0x75, 0xe1, 0xb7, 0x71, 0xd5, 0xba, 0x1c, 0x57, 0xad, 0x97, + 0xe3, 0xaa, 0xf5, 0x6a, 0x5c, 0xb5, 0xfe, 0x1d, 0x57, 0xad, 0xdf, 0xff, 0xab, 0x2e, 0x7c, 0xbf, + 0xac, 0x6b, 0xf0, 0x7f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x19, 0x44, 0x81, 0xf3, 0xba, 0x0c, 0x00, + 0x00, } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.proto b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.proto index 32fe12fd8c3..73e7e69581d 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.proto +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.proto @@ -212,5 +212,9 @@ message PolicyRule { // "/healthz*" - Log all health checks // +optional repeated string nonResourceURLs = 7; + + // OmitStages specify events generated in which stages will not be emitted to backend. + // An empty list means no restrictions will apply. + repeated string omitStages = 8; } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go index 87a95a85efb..be42edffcd5 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go @@ -201,6 +201,10 @@ type PolicyRule struct { // "/healthz*" - Log all health checks // +optional NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,7,rep,name=nonResourceURLs"` + + // OmitStages specify events generated in which stages will not be emitted to backend. + // An empty list means no restrictions will apply. + OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"` } // GroupResources represents resource kinds in an API group. diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.conversion.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.conversion.go index df704ef29e3..81d9270d204 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.conversion.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.conversion.go @@ -239,6 +239,7 @@ func autoConvert_v1beta1_PolicyRule_To_audit_PolicyRule(in *PolicyRule, out *aud out.Resources = *(*[]audit.GroupResources)(unsafe.Pointer(&in.Resources)) out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) + out.OmitStages = *(*[]audit.Stage)(unsafe.Pointer(&in.OmitStages)) return nil } @@ -255,6 +256,7 @@ func autoConvert_audit_PolicyRule_To_v1beta1_PolicyRule(in *audit.PolicyRule, ou out.Resources = *(*[]GroupResources)(unsafe.Pointer(&in.Resources)) out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) + out.OmitStages = *(*[]Stage)(unsafe.Pointer(&in.OmitStages)) return nil } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.deepcopy.go index e799a0f58c4..7da86d5399a 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/zz_generated.deepcopy.go @@ -327,6 +327,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.OmitStages != nil { + in, out := &in.OmitStages, &out.OmitStages + *out = make([]Stage, len(*in)) + copy(*out, *in) + } return } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/validation/validation.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/validation/validation.go index 0db2030433a..6520a763948 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/validation/validation.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/validation/validation.go @@ -38,6 +38,7 @@ func validatePolicyRule(rule audit.PolicyRule, fldPath *field.Path) field.ErrorL allErrs = append(allErrs, validateLevel(rule.Level, fldPath.Child("level"))...) allErrs = append(allErrs, validateNonResourceURLs(rule.NonResourceURLs, fldPath.Child("nonResourceURLs"))...) allErrs = append(allErrs, validateResources(rule.Resources, fldPath.Child("resources"))...) + allErrs = append(allErrs, validateOmitStages(rule.OmitStages, fldPath.Child("omitStages"))...) if len(rule.NonResourceURLs) > 0 { if len(rule.Resources) > 0 || len(rule.Namespaces) > 0 { @@ -55,6 +56,13 @@ var validLevels = []string{ string(audit.LevelRequestResponse), } +var validOmitStages = []string{ + string(audit.StageRequestReceived), + string(audit.StageResponseStarted), + string(audit.StageResponseComplete), + string(audit.StagePanic), +} + func validateLevel(level audit.Level, fldPath *field.Path) field.ErrorList { switch level { case audit.LevelNone, audit.LevelMetadata, audit.LevelRequest, audit.LevelRequestResponse: @@ -104,3 +112,20 @@ func validateResources(groupResources []audit.GroupResources, fldPath *field.Pat } return allErrs } + +func validateOmitStages(omitStages []audit.Stage, fldPath *field.Path) field.ErrorList { + var allErrs field.ErrorList + for i, stage := range omitStages { + valid := false + for _, validOmitStage := range validOmitStages { + if string(stage) == validOmitStage { + valid = true + break + } + } + if !valid { + allErrs = append(allErrs, field.Invalid(fldPath.Index(i), string(stage), "allowed stages are "+strings.Join(validOmitStages, ","))) + } + } + return allErrs +} diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/validation/validation_test.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/validation/validation_test.go index 3acb9598bd0..53d60782a40 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/validation/validation_test.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/validation/validation_test.go @@ -43,6 +43,11 @@ func TestValidatePolicy(t *testing.T) { "/metrics", "*", }, + }, { // Omit RequestReceived stage + Level: audit.LevelMetadata, + OmitStages: []audit.Stage{ + audit.Stage("RequestReceived"), + }, }, } successCases := []audit.Policy{} @@ -108,6 +113,12 @@ func TestValidatePolicy(t *testing.T) { Resources: []audit.GroupResources{{ResourceNames: []string{"leader"}}}, Namespaces: []string{"kube-system"}, }, + { // invalid omitStages + Level: audit.LevelMetadata, + OmitStages: []audit.Stage{ + audit.Stage("foo"), + }, + }, } errorCases := []audit.Policy{} for _, rule := range invalidRules { diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go index 73bd386d78b..907e51b1248 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go @@ -325,6 +325,11 @@ func (in *PolicyRule) DeepCopyInto(out *PolicyRule) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.OmitStages != nil { + in, out := &in.OmitStages, &out.OmitStages + *out = make([]Stage, len(*in)) + copy(*out, *in) + } return } diff --git a/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go b/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go index 6896ab7c579..b92ffe26b68 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go @@ -31,7 +31,7 @@ const ( // Checker exposes methods for checking the policy rules. type Checker interface { // Check the audit level for a request with the given authorizer attributes. - Level(authorizer.Attributes) audit.Level + LevelAndStages(authorizer.Attributes) (audit.Level, []audit.Stage) } // NewChecker creates a new policy checker. @@ -40,21 +40,21 @@ func NewChecker(policy *audit.Policy) Checker { } // FakeChecker creates a checker that returns a constant level for all requests (for testing). -func FakeChecker(level audit.Level) Checker { - return &fakeChecker{level} +func FakeChecker(level audit.Level, stage []audit.Stage) Checker { + return &fakeChecker{level, stage} } type policyChecker struct { audit.Policy } -func (p *policyChecker) Level(attrs authorizer.Attributes) audit.Level { +func (p *policyChecker) LevelAndStages(attrs authorizer.Attributes) (audit.Level, []audit.Stage) { for _, rule := range p.Rules { if ruleMatches(&rule, attrs) { - return rule.Level + return rule.Level, rule.OmitStages } } - return DefaultAuditLevel + return DefaultAuditLevel, nil } // Check whether the rule matches the request attrs. @@ -181,8 +181,9 @@ func hasString(slice []string, value string) bool { type fakeChecker struct { level audit.Level + stage []audit.Stage } -func (f *fakeChecker) Level(_ authorizer.Attributes) audit.Level { - return f.level +func (f *fakeChecker) LevelAndStages(_ authorizer.Attributes) (audit.Level, []audit.Stage) { + return f.level, f.stage } diff --git a/staging/src/k8s.io/apiserver/pkg/audit/policy/checker_test.go b/staging/src/k8s.io/apiserver/pkg/audit/policy/checker_test.go index 015e23beb7e..d6cc5f09171 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/policy/checker_test.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/policy/checker_test.go @@ -136,59 +136,80 @@ func TestChecker(t *testing.T) { ResourceNames: []string{"edit"}, }}, }, + "omit RequestReceived": { + Level: audit.LevelRequest, + OmitStages: []audit.Stage{ + audit.StageRequestReceived, + }, + }, + "only audit panic": { + Level: audit.LevelRequest, + OmitStages: []audit.Stage{ + audit.StageRequestReceived, + audit.StageResponseStarted, + audit.StageResponseComplete, + }, + }, } - test := func(req string, expected audit.Level, ruleNames ...string) { + test := func(req string, expLevel audit.Level, expOmitStages []audit.Stage, ruleNames ...string) { policy := audit.Policy{} for _, rule := range ruleNames { require.Contains(t, rules, rule) policy.Rules = append(policy.Rules, rules[rule]) } require.Contains(t, attrs, req) - actual := NewChecker(&policy).Level(attrs[req]) - assert.Equal(t, expected, actual, "request:%s rules:%s", req, strings.Join(ruleNames, ",")) + actualLevel, actualOmitStages := NewChecker(&policy).LevelAndStages(attrs[req]) + assert.Equal(t, expLevel, actualLevel, "request:%s rules:%s", req, strings.Join(ruleNames, ",")) + assert.Equal(t, expOmitStages, actualOmitStages, "request:%s rules:%s", req, strings.Join(ruleNames, ",")) } - test("namespaced", audit.LevelMetadata, "default") - test("namespaced", audit.LevelNone, "create") - test("namespaced", audit.LevelMetadata, "tims") - test("namespaced", audit.LevelMetadata, "humans") - test("namespaced", audit.LevelNone, "serviceAccounts") - test("namespaced", audit.LevelRequestResponse, "getPods") - test("namespaced", audit.LevelNone, "getClusterRoles") - test("namespaced", audit.LevelNone, "getLogs") - test("namespaced", audit.LevelNone, "getMetrics") - test("namespaced", audit.LevelMetadata, "getMetrics", "serviceAccounts", "default") - test("namespaced", audit.LevelRequestResponse, "getMetrics", "getPods", "default") - test("namespaced", audit.LevelRequestResponse, "getPodLogs", "getPods") + test("namespaced", audit.LevelMetadata, nil, "default") + test("namespaced", audit.LevelNone, nil, "create") + test("namespaced", audit.LevelMetadata, nil, "tims") + test("namespaced", audit.LevelMetadata, nil, "humans") + test("namespaced", audit.LevelNone, nil, "serviceAccounts") + test("namespaced", audit.LevelRequestResponse, nil, "getPods") + test("namespaced", audit.LevelNone, nil, "getClusterRoles") + test("namespaced", audit.LevelNone, nil, "getLogs") + test("namespaced", audit.LevelNone, nil, "getMetrics") + test("namespaced", audit.LevelMetadata, nil, "getMetrics", "serviceAccounts", "default") + test("namespaced", audit.LevelRequestResponse, nil, "getMetrics", "getPods", "default") + test("namespaced", audit.LevelRequestResponse, nil, "getPodLogs", "getPods") + test("namespaced", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived}, "omit RequestReceived", "getPods", "default") + test("namespaced", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived, audit.StageResponseStarted, audit.StageResponseComplete}, "only audit panic", "getPods", "default") - test("cluster", audit.LevelMetadata, "default") - test("cluster", audit.LevelNone, "create") - test("cluster", audit.LevelMetadata, "tims") - test("cluster", audit.LevelMetadata, "humans") - test("cluster", audit.LevelNone, "serviceAccounts") - test("cluster", audit.LevelNone, "getPods") - test("cluster", audit.LevelRequestResponse, "getClusterRoles") - test("cluster", audit.LevelRequest, "clusterRoleEdit", "getClusterRoles") - test("cluster", audit.LevelNone, "getLogs") - test("cluster", audit.LevelNone, "getMetrics") - test("cluster", audit.LevelMetadata, "getMetrics", "serviceAccounts", "default") - test("cluster", audit.LevelRequestResponse, "getMetrics", "getClusterRoles", "default") - test("cluster", audit.LevelNone, "getPodLogs", "getPods") + test("cluster", audit.LevelMetadata, nil, "default") + test("cluster", audit.LevelNone, nil, "create") + test("cluster", audit.LevelMetadata, nil, "tims") + test("cluster", audit.LevelMetadata, nil, "humans") + test("cluster", audit.LevelNone, nil, "serviceAccounts") + test("cluster", audit.LevelNone, nil, "getPods") + test("cluster", audit.LevelRequestResponse, nil, "getClusterRoles") + test("cluster", audit.LevelRequest, nil, "clusterRoleEdit", "getClusterRoles") + test("cluster", audit.LevelNone, nil, "getLogs") + test("cluster", audit.LevelNone, nil, "getMetrics") + test("cluster", audit.LevelMetadata, nil, "getMetrics", "serviceAccounts", "default") + test("cluster", audit.LevelRequestResponse, nil, "getMetrics", "getClusterRoles", "default") + test("cluster", audit.LevelNone, nil, "getPodLogs", "getPods") + test("cluster", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived}, "omit RequestReceived", "getPods", "default") + test("cluster", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived, audit.StageResponseStarted, audit.StageResponseComplete}, "only audit panic", "getPods", "default") - test("nonResource", audit.LevelMetadata, "default") - test("nonResource", audit.LevelNone, "create") - test("nonResource", audit.LevelMetadata, "tims") - test("nonResource", audit.LevelMetadata, "humans") - test("nonResource", audit.LevelNone, "serviceAccounts") - test("nonResource", audit.LevelNone, "getPods") - test("nonResource", audit.LevelNone, "getClusterRoles") - test("nonResource", audit.LevelRequestResponse, "getLogs") - test("nonResource", audit.LevelNone, "getMetrics") - test("nonResource", audit.LevelMetadata, "getMetrics", "serviceAccounts", "default") - test("nonResource", audit.LevelRequestResponse, "getLogs", "getClusterRoles", "default") - test("nonResource", audit.LevelNone, "getPodLogs", "getPods") + test("nonResource", audit.LevelMetadata, nil, "default") + test("nonResource", audit.LevelNone, nil, "create") + test("nonResource", audit.LevelMetadata, nil, "tims") + test("nonResource", audit.LevelMetadata, nil, "humans") + test("nonResource", audit.LevelNone, nil, "serviceAccounts") + test("nonResource", audit.LevelNone, nil, "getPods") + test("nonResource", audit.LevelNone, nil, "getClusterRoles") + test("nonResource", audit.LevelRequestResponse, nil, "getLogs") + test("nonResource", audit.LevelNone, nil, "getMetrics") + test("nonResource", audit.LevelMetadata, nil, "getMetrics", "serviceAccounts", "default") + test("nonResource", audit.LevelRequestResponse, nil, "getLogs", "getClusterRoles", "default") + test("nonResource", audit.LevelNone, nil, "getPodLogs", "getPods") + test("nonResource", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived}, "omit RequestReceived", "getPods", "default") + test("nonResource", audit.LevelRequest, []audit.Stage{audit.StageRequestReceived, audit.StageResponseStarted, audit.StageResponseComplete}, "only audit panic", "getPods", "default") - test("subresource", audit.LevelRequest, "getPodLogs", "getPods") - test("subresource", audit.LevelRequest, "getPods", "getPodLogs") + test("subresource", audit.LevelRequest, nil, "getPodLogs", "getPods") + test("subresource", audit.LevelRequest, nil, "getPods", "getPodLogs") } diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/apiserver_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/apiserver_test.go index 4847a593408..ee553869147 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/apiserver_test.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/apiserver_test.go @@ -331,7 +331,7 @@ func handleInternal(storage map[string]rest.Storage, admissionControl admission. } } - handler := genericapifilters.WithAudit(mux, requestContextMapper, auditSink, auditpolicy.FakeChecker(auditinternal.LevelRequestResponse), func(r *http.Request, requestInfo *request.RequestInfo) bool { + handler := genericapifilters.WithAudit(mux, requestContextMapper, auditSink, auditpolicy.FakeChecker(auditinternal.LevelRequestResponse, nil), func(r *http.Request, requestInfo *request.RequestInfo) bool { // simplified long-running check return requestInfo.Verb == "watch" || requestInfo.Verb == "proxy" }) diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go index 39813ea98cd..78849c66bb8 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go @@ -42,7 +42,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext return handler } return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - ctx, ev, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy) + ctx, ev, omitStages, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy) if err != nil { utilruntime.HandleError(fmt.Errorf("failed to create audit event: %v", err)) responsewriters.InternalError(w, req, errors.New("failed to create audit event")) @@ -54,7 +54,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext } ev.Stage = auditinternal.StageRequestReceived - processAuditEvent(sink, ev) + processAuditEvent(sink, ev, omitStages) // intercept the status code var longRunningSink audit.Sink @@ -64,7 +64,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext longRunningSink = sink } } - respWriter := decorateResponseWriter(w, ev, longRunningSink) + respWriter := decorateResponseWriter(w, ev, longRunningSink, omitStages) // send audit event when we leave this func, either via a panic or cleanly. In the case of long // running requests, this will be the second audit event. @@ -78,7 +78,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext Reason: metav1.StatusReasonInternalError, Message: fmt.Sprintf("APIServer panic'd: %v", r), } - processAuditEvent(sink, ev) + processAuditEvent(sink, ev, omitStages) return } @@ -92,14 +92,14 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext if ev.ResponseStatus == nil && longRunningSink != nil { ev.ResponseStatus = fakedSuccessStatus ev.Stage = auditinternal.StageResponseStarted - processAuditEvent(longRunningSink, ev) + processAuditEvent(longRunningSink, ev, omitStages) } ev.Stage = auditinternal.StageResponseComplete if ev.ResponseStatus == nil { ev.ResponseStatus = fakedSuccessStatus } - processAuditEvent(sink, ev) + processAuditEvent(sink, ev, omitStages) }() handler.ServeHTTP(respWriter, req) }) @@ -110,47 +110,53 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext // - context with audit event attached to it // - created audit event // - error if anything bad happened -func createAuditEventAndAttachToContext(requestContextMapper request.RequestContextMapper, req *http.Request, policy policy.Checker) (request.Context, *auditinternal.Event, error) { +func createAuditEventAndAttachToContext(requestContextMapper request.RequestContextMapper, req *http.Request, policy policy.Checker) (request.Context, *auditinternal.Event, []auditinternal.Stage, error) { ctx, ok := requestContextMapper.Get(req) if !ok { - return nil, nil, fmt.Errorf("no context found for request") + return nil, nil, nil, fmt.Errorf("no context found for request") } attribs, err := GetAuthorizerAttributes(ctx) if err != nil { - return nil, nil, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err) + return nil, nil, nil, fmt.Errorf("failed to GetAuthorizerAttributes: %v", err) } - level := policy.Level(attribs) + level, omitStages := policy.LevelAndStages(attribs) audit.ObservePolicyLevel(level) if level == auditinternal.LevelNone { // Don't audit. - return nil, nil, nil + return nil, nil, nil, nil } ev, err := audit.NewEventFromRequest(req, level, attribs) if err != nil { - return nil, nil, fmt.Errorf("failed to complete audit event from request: %v", err) + return nil, nil, nil, fmt.Errorf("failed to complete audit event from request: %v", err) } ctx = request.WithAuditEvent(ctx, ev) if err := requestContextMapper.Update(req, ctx); err != nil { - return nil, nil, fmt.Errorf("failed to attach audit event to context: %v", err) + return nil, nil, nil, fmt.Errorf("failed to attach audit event to context: %v", err) } - return ctx, ev, nil + return ctx, ev, omitStages, nil } -func processAuditEvent(sink audit.Sink, ev *auditinternal.Event) { +func processAuditEvent(sink audit.Sink, ev *auditinternal.Event, omitStages []auditinternal.Stage) { + for _, stage := range omitStages { + if ev.Stage == stage { + return + } + } audit.ObserveEvent() sink.ProcessEvents(ev) } -func decorateResponseWriter(responseWriter http.ResponseWriter, ev *auditinternal.Event, sink audit.Sink) http.ResponseWriter { +func decorateResponseWriter(responseWriter http.ResponseWriter, ev *auditinternal.Event, sink audit.Sink, omitStages []auditinternal.Stage) http.ResponseWriter { delegate := &auditResponseWriter{ ResponseWriter: responseWriter, event: ev, sink: sink, + omitStages: omitStages, } // check if the ResponseWriter we're wrapping is the fancy one we need @@ -170,9 +176,10 @@ var _ http.ResponseWriter = &auditResponseWriter{} // create immediately an event (for long running requests). type auditResponseWriter struct { http.ResponseWriter - event *auditinternal.Event - once sync.Once - sink audit.Sink + event *auditinternal.Event + once sync.Once + sink audit.Sink + omitStages []auditinternal.Stage } func (a *auditResponseWriter) setHttpHeader() { @@ -188,7 +195,7 @@ func (a *auditResponseWriter) processCode(code int) { a.event.Stage = auditinternal.StageResponseStarted if a.sink != nil { - processAuditEvent(a.sink, a.event) + processAuditEvent(a.sink, a.event, a.omitStages) } }) } diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_test.go index 852fa916fd9..bfac84f8fa4 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_test.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_test.go @@ -98,14 +98,14 @@ func (*fancyResponseWriter) Flush() {} func (*fancyResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) { return nil, nil, nil } func TestConstructResponseWriter(t *testing.T) { - actual := decorateResponseWriter(&simpleResponseWriter{}, nil, nil) + actual := decorateResponseWriter(&simpleResponseWriter{}, nil, nil, nil) switch v := actual.(type) { case *auditResponseWriter: default: t.Errorf("Expected auditResponseWriter, got %v", reflect.TypeOf(v)) } - actual = decorateResponseWriter(&fancyResponseWriter{}, nil, nil) + actual = decorateResponseWriter(&fancyResponseWriter{}, nil, nil, nil) switch v := actual.(type) { case *fancyResponseWriterDelegator: default: @@ -115,7 +115,7 @@ func TestConstructResponseWriter(t *testing.T) { func TestDecorateResponseWriterWithoutChannel(t *testing.T) { ev := &auditinternal.Event{} - actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil) + actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil, nil) // write status. This will not block because firstEventSentCh is nil actual.WriteHeader(42) @@ -129,7 +129,7 @@ func TestDecorateResponseWriterWithoutChannel(t *testing.T) { func TestDecorateResponseWriterWithImplicitWrite(t *testing.T) { ev := &auditinternal.Event{} - actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil) + actual := decorateResponseWriter(&simpleResponseWriter{}, ev, nil, nil) // write status. This will not block because firstEventSentCh is nil actual.Write([]byte("foo")) @@ -144,7 +144,7 @@ func TestDecorateResponseWriterWithImplicitWrite(t *testing.T) { func TestDecorateResponseWriterChannel(t *testing.T) { sink := &fakeAuditSink{} ev := &auditinternal.Event{} - actual := decorateResponseWriter(&simpleResponseWriter{}, ev, sink) + actual := decorateResponseWriter(&simpleResponseWriter{}, ev, sink, nil) done := make(chan struct{}) go func() { @@ -203,17 +203,19 @@ func TestAuditLegacy(t *testing.T) { delay := 500 * time.Millisecond for _, test := range []struct { - desc string - path string - verb string - handler func(http.ResponseWriter, *http.Request) - expected []string + desc string + path string + verb string + omitStages []auditinternal.Stage + handler func(http.ResponseWriter, *http.Request) + expected []string }{ // short running requests with read-only verb { "read-only empty", shortRunningPath, "GET", + nil, func(http.ResponseWriter, *http.Request) {}, []string{ readOnlyShortRunningPrefix(auditinternal.StageRequestReceived) + ` response=""`, @@ -224,6 +226,7 @@ func TestAuditLegacy(t *testing.T) { "read-only panic", shortRunningPath, "GET", + nil, func(w http.ResponseWriter, req *http.Request) { panic("kaboom") }, @@ -238,6 +241,7 @@ func TestAuditLegacy(t *testing.T) { "writing empty", shortRunningPath, "PUT", + nil, func(http.ResponseWriter, *http.Request) {}, []string{ writingShortRunningPrefix(auditinternal.StageRequestReceived) + ` response=""`, @@ -248,6 +252,7 @@ func TestAuditLegacy(t *testing.T) { "writing sleep", shortRunningPath, "PUT", + nil, func(http.ResponseWriter, *http.Request) { time.Sleep(delay) }, @@ -260,6 +265,7 @@ func TestAuditLegacy(t *testing.T) { "writing 403+write", shortRunningPath, "PUT", + nil, func(w http.ResponseWriter, req *http.Request) { w.WriteHeader(403) w.Write([]byte("foo")) @@ -273,6 +279,7 @@ func TestAuditLegacy(t *testing.T) { "writing panic", shortRunningPath, "PUT", + nil, func(w http.ResponseWriter, req *http.Request) { panic("kaboom") }, @@ -285,6 +292,7 @@ func TestAuditLegacy(t *testing.T) { "writing write+panic", shortRunningPath, "PUT", + nil, func(w http.ResponseWriter, req *http.Request) { w.Write([]byte("foo")) panic("kaboom") @@ -300,6 +308,7 @@ func TestAuditLegacy(t *testing.T) { "empty longrunning", longRunningPath, "GET", + nil, func(http.ResponseWriter, *http.Request) {}, []string{ longRunningPrefix(auditinternal.StageRequestReceived) + ` response=""`, @@ -311,6 +320,7 @@ func TestAuditLegacy(t *testing.T) { "sleep longrunning", longRunningPath, "GET", + nil, func(http.ResponseWriter, *http.Request) { time.Sleep(delay) }, @@ -324,6 +334,7 @@ func TestAuditLegacy(t *testing.T) { "sleep+403 longrunning", longRunningPath, "GET", + nil, func(w http.ResponseWriter, req *http.Request) { time.Sleep(delay) w.WriteHeader(403) @@ -338,6 +349,7 @@ func TestAuditLegacy(t *testing.T) { "write longrunning", longRunningPath, "GET", + nil, func(w http.ResponseWriter, req *http.Request) { w.Write([]byte("foo")) }, @@ -351,6 +363,7 @@ func TestAuditLegacy(t *testing.T) { "403+write longrunning", longRunningPath, "GET", + nil, func(w http.ResponseWriter, req *http.Request) { w.WriteHeader(403) w.Write([]byte("foo")) @@ -365,6 +378,7 @@ func TestAuditLegacy(t *testing.T) { "panic longrunning", longRunningPath, "GET", + nil, func(w http.ResponseWriter, req *http.Request) { panic("kaboom") }, @@ -377,6 +391,7 @@ func TestAuditLegacy(t *testing.T) { "write+panic longrunning", longRunningPath, "GET", + nil, func(w http.ResponseWriter, req *http.Request) { w.Write([]byte("foo")) panic("kaboom") @@ -387,10 +402,33 @@ func TestAuditLegacy(t *testing.T) { longRunningPrefix(auditinternal.StagePanic) + ` response="500"`, }, }, + { + "omit RequestReceived", + shortRunningPath, + "GET", + []auditinternal.Stage{auditinternal.StageRequestReceived}, + func(http.ResponseWriter, *http.Request) {}, + []string{ + readOnlyShortRunningPrefix(auditinternal.StageResponseComplete) + ` response="200"`, + }, + }, + { + "emit painc only", + longRunningPath, + "GET", + []auditinternal.Stage{auditinternal.StageRequestReceived, auditinternal.StageResponseStarted, auditinternal.StageResponseComplete}, + func(w http.ResponseWriter, req *http.Request) { + w.Write([]byte("foo")) + panic("kaboom") + }, + []string{ + longRunningPrefix(auditinternal.StagePanic) + ` response="500"`, + }, + }, } { var buf bytes.Buffer backend := pluginlog.NewBackend(&buf, pluginlog.FormatLegacy, auditv1beta1.SchemeGroupVersion) - policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse) + policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, test.omitStages) handler := WithAudit(http.HandlerFunc(test.handler), &fakeRequestContextMapper{ user: &user.DefaultInfo{Name: "admin"}, }, backend, policyChecker, func(r *http.Request, ri *request.RequestInfo) bool { @@ -440,6 +478,7 @@ func TestAuditJson(t *testing.T) { path string verb string auditID string + omitStages []auditinternal.Stage handler func(http.ResponseWriter, *http.Request) expected []auditv1beta1.Event respHeader bool @@ -450,6 +489,7 @@ func TestAuditJson(t *testing.T) { shortRunningPath, "GET", "", + nil, func(http.ResponseWriter, *http.Request) {}, []auditv1beta1.Event{ { @@ -471,6 +511,7 @@ func TestAuditJson(t *testing.T) { shortRunningPath, "GET", uuid.NewRandom().String(), + nil, func(w http.ResponseWriter, req *http.Request) { w.Write([]byte("foo")) }, @@ -494,6 +535,7 @@ func TestAuditJson(t *testing.T) { shortRunningPath, "GET", "", + nil, func(w http.ResponseWriter, req *http.Request) { panic("kaboom") }, @@ -518,6 +560,7 @@ func TestAuditJson(t *testing.T) { shortRunningPath, "PUT", "", + nil, func(http.ResponseWriter, *http.Request) {}, []auditv1beta1.Event{ { @@ -539,6 +582,7 @@ func TestAuditJson(t *testing.T) { shortRunningPath, "PUT", "", + nil, func(w http.ResponseWriter, req *http.Request) { w.Write([]byte("foo")) time.Sleep(delay) @@ -563,6 +607,7 @@ func TestAuditJson(t *testing.T) { shortRunningPath, "PUT", "", + nil, func(w http.ResponseWriter, req *http.Request) { w.WriteHeader(403) w.Write([]byte("foo")) @@ -587,6 +632,7 @@ func TestAuditJson(t *testing.T) { shortRunningPath, "PUT", "", + nil, func(w http.ResponseWriter, req *http.Request) { panic("kaboom") }, @@ -610,6 +656,7 @@ func TestAuditJson(t *testing.T) { shortRunningPath, "PUT", "", + nil, func(w http.ResponseWriter, req *http.Request) { w.Write([]byte("foo")) panic("kaboom") @@ -635,6 +682,7 @@ func TestAuditJson(t *testing.T) { longRunningPath, "GET", "", + nil, func(http.ResponseWriter, *http.Request) {}, []auditv1beta1.Event{ { @@ -662,6 +710,7 @@ func TestAuditJson(t *testing.T) { longRunningPath, "GET", uuid.NewRandom().String(), + nil, func(w http.ResponseWriter, req *http.Request) { w.Write([]byte("foo")) }, @@ -691,6 +740,7 @@ func TestAuditJson(t *testing.T) { longRunningPath, "GET", "", + nil, func(http.ResponseWriter, *http.Request) { time.Sleep(delay) }, @@ -720,6 +770,7 @@ func TestAuditJson(t *testing.T) { longRunningPath, "GET", "", + nil, func(w http.ResponseWriter, req *http.Request) { time.Sleep(delay) w.WriteHeader(403) @@ -750,6 +801,7 @@ func TestAuditJson(t *testing.T) { longRunningPath, "GET", "", + nil, func(w http.ResponseWriter, req *http.Request) { w.Write([]byte("foo")) }, @@ -779,6 +831,7 @@ func TestAuditJson(t *testing.T) { longRunningPath, "GET", "", + nil, func(w http.ResponseWriter, req *http.Request) { w.WriteHeader(403) w.Write([]byte("foo")) @@ -809,6 +862,7 @@ func TestAuditJson(t *testing.T) { longRunningPath, "GET", "", + nil, func(w http.ResponseWriter, req *http.Request) { panic("kaboom") }, @@ -832,6 +886,7 @@ func TestAuditJson(t *testing.T) { longRunningPath, "GET", "", + nil, func(w http.ResponseWriter, req *http.Request) { w.Write([]byte("foo")) panic("kaboom") @@ -857,10 +912,49 @@ func TestAuditJson(t *testing.T) { }, true, }, + { + "omit RequestReceived", + shortRunningPath, + "GET", + "", + []auditinternal.Stage{auditinternal.StageRequestReceived}, + func(w http.ResponseWriter, req *http.Request) { + w.Write([]byte("foo")) + }, + []auditv1beta1.Event{ + { + Stage: auditinternal.StageResponseComplete, + Verb: "get", + RequestURI: shortRunningPath, + ResponseStatus: &metav1.Status{Code: 200}, + }, + }, + true, + }, + { + "emit Panic only", + longRunningPath, + "GET", + "", + []auditinternal.Stage{auditinternal.StageRequestReceived, auditinternal.StageResponseStarted, auditinternal.StageResponseComplete}, + func(w http.ResponseWriter, req *http.Request) { + w.Write([]byte("foo")) + panic("kaboom") + }, + []auditv1beta1.Event{ + { + Stage: auditinternal.StagePanic, + Verb: "watch", + RequestURI: longRunningPath, + ResponseStatus: &metav1.Status{Code: 500}, + }, + }, + true, + }, } { var buf bytes.Buffer backend := pluginlog.NewBackend(&buf, pluginlog.FormatJson, auditv1beta1.SchemeGroupVersion) - policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse) + policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, test.omitStages) handler := WithAudit(http.HandlerFunc(test.handler), &fakeRequestContextMapper{ user: &user.DefaultInfo{Name: "admin"}, }, backend, policyChecker, func(r *http.Request, ri *request.RequestInfo) bool { @@ -964,7 +1058,7 @@ func (*fakeRequestContextMapper) Update(req *http.Request, context request.Conte } func TestAuditNoPanicOnNilUser(t *testing.T) { - policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse) + policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil) handler := WithAudit(&fakeHTTPHandler{}, &fakeRequestContextMapper{}, &fakeAuditSink{}, policyChecker, nil) req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil) req.RemoteAddr = "127.0.0.1" @@ -977,7 +1071,7 @@ func TestAuditLevelNone(t *testing.T) { handler = http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(200) }) - policyChecker := policy.FakeChecker(auditinternal.LevelNone) + policyChecker := policy.FakeChecker(auditinternal.LevelNone, nil) handler = WithAudit(handler, &fakeRequestContextMapper{ user: &user.DefaultInfo{Name: "admin"}, }, sink, policyChecker, nil) diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit.go index a3c192f79fa..86aca9872c7 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit.go @@ -38,7 +38,7 @@ func WithFailedAuthenticationAudit(failedHandler http.Handler, requestContextMap return failedHandler } return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - _, ev, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy) + _, ev, omitStages, err := createAuditEventAndAttachToContext(requestContextMapper, req, policy) if err != nil { utilruntime.HandleError(fmt.Errorf("failed to create audit event: %v", err)) responsewriters.InternalError(w, req, errors.New("failed to create audit event")) @@ -53,7 +53,7 @@ func WithFailedAuthenticationAudit(failedHandler http.Handler, requestContextMap ev.ResponseStatus.Message = getAuthMethods(req) ev.Stage = auditinternal.StageResponseStarted - rw := decorateResponseWriter(w, ev, sink) + rw := decorateResponseWriter(w, ev, sink, omitStages) failedHandler.ServeHTTP(rw, req) }) } diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit_test.go index fb9eeebf6b3..a320a977d89 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit_test.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit_test.go @@ -30,7 +30,7 @@ import ( func TestFailedAuthnAudit(t *testing.T) { sink := &fakeAuditSink{} - policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse) + policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil) handler := WithFailedAuthenticationAudit( http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusUnauthorized) @@ -61,7 +61,7 @@ func TestFailedAuthnAudit(t *testing.T) { func TestFailedMultipleAuthnAudit(t *testing.T) { sink := &fakeAuditSink{} - policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse) + policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil) handler := WithFailedAuthenticationAudit( http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusUnauthorized) @@ -93,7 +93,7 @@ func TestFailedMultipleAuthnAudit(t *testing.T) { func TestFailedAuthnAuditWithoutAuthorization(t *testing.T) { sink := &fakeAuditSink{} - policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse) + policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, nil) handler := WithFailedAuthenticationAudit( http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusUnauthorized) @@ -120,3 +120,20 @@ func TestFailedAuthnAuditWithoutAuthorization(t *testing.T) { t.Errorf("Unexpected user, expected /api/v1/namespaces/default/pods, got %s", ev.RequestURI) } } + +func TestFailedAuthnAuditOmitted(t *testing.T) { + sink := &fakeAuditSink{} + policyChecker := policy.FakeChecker(auditinternal.LevelRequestResponse, []auditinternal.Stage{auditinternal.StageResponseStarted}) + handler := WithFailedAuthenticationAudit( + http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusUnauthorized) + }), + &fakeRequestContextMapper{}, sink, policyChecker) + req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil) + req.RemoteAddr = "127.0.0.1" + handler.ServeHTTP(httptest.NewRecorder(), req) + + if len(sink.events) != 0 { + t.Fatalf("Unexpected number of audit events generated, expected 0, got: %d", len(sink.events)) + } +}