github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 22:17:14 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #95387 from JAORMX/logperms

Browse Source 
Ensure audit log permissions are restricted
This commit is contained in:
Kubernetes Prow Robot 2021-04-26 11:51:17 -07:00 committed by GitHub
commit b81a36021f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
staging/src/k8s.io/apiserver/pkg/server/options/audit.go
View File

@ -297,7 +297,11 @@ func (o *AuditOptions) ApplyTo(
// 2. Build log backend
var logBackend audit.Backend
if w := o.LogOptions.getWriter(); w != nil {
w, err := o.LogOptions.getWriter()
if err != nil {
return err
}
if w != nil {
if checker == nil {
klog.V(2).Info("No audit policy file provided, no events will be recorded for log backend")
} else {
@ -502,9 +506,13 @@ func (o *AuditLogOptions) enabled() bool {
return o != nil && o.Path != ""
}
func (o *AuditLogOptions) getWriter() io.Writer {
func (o *AuditLogOptions) getWriter() (io.Writer, error) {
if !o.enabled() {
return nil
return nil, nil
}
if err := o.ensureLogFile(); err != nil {
return nil, err
}
var w io.Writer = os.Stdout
@ -517,7 +525,16 @@ func (o *AuditLogOptions) getWriter() io.Writer {
Compress: o.Compress,
}
}
return w
return w, nil
}
func (o *AuditLogOptions) ensureLogFile() error {
mode := os.FileMode(0600)
f, err := os.OpenFile(o.Path, os.O_CREATE|os.O_APPEND|os.O_RDWR, mode)
if err != nil {
return err
}
return f.Close()
}
func (o *AuditLogOptions) newBackend(w io.Writer) audit.Backend {