Merge pull request #46548 from timstclair/audit-policy

Automatic merge from submit-queue

Fix audit level none

... and add a testcase for it

https://github.com/kubernetes/features/issues/22

/cc @sttts @ericchiang

staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit.go

@@ -71,6 +71,7 @@ func WithAudit(handler http.Handler, requestContextMapper request.RequestContext
 		if level == auditinternal.LevelNone {
 			// Don't audit.
 			handler.ServeHTTP(w, req)
+			return
 		}
 
 		ev, err := audit.NewEventFromRequest(req, level, attribs)

staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_test.go

@@ -333,15 +333,12 @@ func TestAudit(t *testing.T) {
 		req, _ := http.NewRequest("GET", test.path, nil)
 		req.RemoteAddr = "127.0.0.1"
 
-		done := make(chan struct{})
-		go func() {
+		func() {
 			defer func() {
 				recover()
-				close(done)
 			}()
 			handler.ServeHTTP(httptest.NewRecorder(), req)
 		}()
-		<-done
 
 		t.Logf("[%s] audit log: %v", test.desc, buf.String())
 
@@ -394,3 +391,23 @@ func TestAuditNoPanicOnNilUser(t *testing.T) {
 	req.RemoteAddr = "127.0.0.1"
 	handler.ServeHTTP(httptest.NewRecorder(), req)
 }
+
+func TestAuditLevelNone(t *testing.T) {
+	sink := &fakeAuditSink{}
+	var handler http.Handler
+	handler = http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(200)
+	})
+	policyChecker := policy.FakeChecker(auditinternal.LevelNone)
+	handler = WithAudit(handler, &fakeRequestContextMapper{
+		user: &user.DefaultInfo{Name: "admin"},
+	}, sink, policyChecker, nil)
+
+	req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil)
+	req.RemoteAddr = "127.0.0.1"
+
+	handler.ServeHTTP(httptest.NewRecorder(), req)
+	if len(sink.events) > 0 {
+		t.Errorf("Generated events, but should not have: %#v", sink.events)
+	}
+}